CVE-2026-33492 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly disabled session regeneration in `User::login()`, this allows a classic session fixation attack where an attacker can fix a victim's session ID before authentication and then hijack the authenticated session. Commit 5647a94d79bf69a972a86653fe02144079948785 contains a patch.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability CVE-2026-33492 affects WWBN AVideo version 26.0 and earlier, representing a critical session management flaw that enables session fixation attacks. This vulnerability stems from the `_session_start()` function's improper handling of session identifiers, specifically accepting arbitrary session IDs through the PHPSESSID GET parameter and setting them as active PHP sessions without proper validation or regeneration. The flaw creates a dangerous condition where attackers can manipulate session identifiers directly through URL parameters, bypassing normal session establishment procedures. According to CWE-384, this represents a session fixation vulnerability where the application fails to properly manage session identifiers, allowing attackers to establish a known session ID before authentication.
The technical exploitation of this vulnerability occurs through a combination of factors that compound the security risk. The session regeneration bypass specifically targets blacklisted endpoints where requests originate from the same domain, creating a window where session identifiers can be fixed without proper regeneration. The `User::login()` function explicitly disables session regeneration, which compounds the issue by preventing the system from automatically creating new session identifiers during authentication. This dual vulnerability creates a classic session fixation scenario where an attacker can set a predetermined session ID before a victim authenticates, then later use that same session ID to hijack the authenticated session. The attack requires minimal privileges and can be executed through simple HTTP requests containing the target session ID in the PHPSESSID parameter.
The operational impact of this vulnerability is severe for AVideo deployments, as it allows attackers to gain unauthorized access to user accounts with full privileges. Once an attacker successfully fixes a session ID and waits for a victim to authenticate, they can seamlessly take over the authenticated session without requiring additional credentials or complex exploitation techniques. This vulnerability directly violates the principle of least privilege and can lead to complete account compromise, data theft, and potential lateral movement within the application. The attack vector is particularly concerning because it requires no sophisticated tools or deep technical knowledge, making it accessible to attackers of varying skill levels. According to ATT&CK framework, this vulnerability maps to T1566 (Phishing) and T1548.001 (Abuse Elevation Control Mechanisms) as it enables unauthorized access through session manipulation and bypasses normal authentication controls.
The patch implemented in commit 5647a94d79bf69a972a86653fe02144079948785 addresses this vulnerability by correcting the session management flow. The fix likely enforces proper session regeneration during authentication, prevents the acceptance of arbitrary session IDs through GET parameters, and ensures that session identifiers are properly validated before being set as active sessions. Organizations should immediately update to the patched version to remediate this vulnerability. Additional mitigations include implementing proper session security headers, disabling session IDs in URLs, and enforcing strict session validation mechanisms. Security monitoring should include detection of unusual session ID patterns and unauthorized session parameter manipulation attempts to identify potential exploitation attempts.