CVE-2026-33501 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight. Commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 contain patches.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability identified as CVE-2026-33501 affects the WWBN AVideo platform, an open source video management system that has been widely adopted for hosting and managing video content. This security flaw resides within the permission management subsystem of the platform, specifically targeting the Users_groups_permissions list endpoint that exposes sensitive authorization data to unauthorized users. The vulnerability represents a critical oversight in the platform's access control mechanisms, as it allows any unauthenticated user to obtain comprehensive information about the permission structure that governs user group access to various plugins and system components. This exposure fundamentally undermines the platform's security model by providing attackers with detailed insights into the internal access control matrix that should remain confidential to maintain proper security boundaries.
The technical flaw manifests in the `plugin/Permissions/View/Users_groups_permissions/list.json.php` endpoint which fails to implement any form of authentication or authorization verification before returning sensitive permission data. This endpoint operates without requiring users to prove their identity or demonstrate appropriate access rights, creating a direct information disclosure vulnerability that violates fundamental security principles of least privilege and access control. The vulnerability is particularly concerning because it represents an inconsistency in the platform's security implementation, as all other sibling endpoints within the same directory properly enforce administrative access through the `User::isAdmin()` check. This discrepancy indicates either a simple coding oversight or inadequate security review processes during the development cycle. The commit history shows that patches were developed to address this issue, with specific changes documented in commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516, suggesting that the development team recognized the severity of this access control weakness.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with a complete mapping of user group permissions across the platform's plugin ecosystem. This intelligence could enable sophisticated attack vectors including privilege escalation attempts, targeted exploitation of specific plugin vulnerabilities, or social engineering campaigns that leverage the permission structure to craft more convincing attacks. Security researchers should note that this vulnerability aligns with CWE-284 (Improper Access Control) and represents a classic example of inadequate authentication enforcement that violates the principle of least privilege. The exposure of permission matrices can be particularly damaging in environments where multiple user groups have distinct access levels to sensitive system functions, as it eliminates the security through obscurity that might otherwise provide some protection against targeted attacks. From an attacker's perspective, this information could be used to identify the most privileged user groups, understand the platform's security architecture, and plan more effective exploitation strategies.
Organizations utilizing WWBN AVideo versions up to and including 26.0 should immediately implement mitigations to address this vulnerability. The most effective immediate solution involves patching the affected system with the official updates provided in the referenced commits, which should restore proper authentication checks to the vulnerable endpoint. System administrators should also consider implementing network-level restrictions to limit access to sensitive API endpoints, particularly those that provide permission information or administrative functions. The vulnerability demonstrates the importance of consistent security implementation across all application endpoints and highlights the need for comprehensive security testing that includes access control verification. Security teams should conduct thorough audits of similar endpoints within the platform to identify any other potential access control oversights, as this vulnerability likely indicates broader issues in the application's security architecture. Additionally, organizations should consider implementing monitoring solutions that can detect unusual access patterns to permission-related endpoints, as unauthorized access to this information could indicate active exploitation attempts. The ATT&CK framework would categorize this vulnerability under T1078 (Valid Accounts) and T1566 (Phishing) as attackers could potentially leverage this information to craft more sophisticated social engineering campaigns or to identify legitimate administrative accounts that should not be accessible to regular users.