CVE-2026-33502 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints. Commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 contains a patch.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability identified as CVE-2026-33502 affects the WWBN AVideo platform, specifically targeting versions up to and including 26.0. This represents a critical security flaw that undermines the platform's network isolation mechanisms and exposes organizations to significant operational risks. The vulnerability resides within the plugin/Live/test.php file, which processes incoming requests without proper authentication or validation, creating an exploitable pathway for malicious actors to leverage the platform's infrastructure for unauthorized network activities.
This unauthenticated server-side request forgery vulnerability operates by allowing any remote user to craft HTTP requests that the AVideo server will execute on their behalf. The technical flaw stems from inadequate input validation and authorization checks within the test.php endpoint, which fails to verify the legitimacy of requested URLs or prevent access to internal network resources. The vulnerability enables attackers to perform HTTP requests to arbitrary destinations, including localhost addresses and internal services that would normally be protected by network segmentation. This behavior aligns with CWE-918, which specifically addresses server-side request forgery vulnerabilities where attackers can manipulate server-side requests to access internal resources.
The operational impact of this vulnerability extends beyond simple network probing to potentially expose sensitive internal systems and cloud metadata endpoints. Attackers can leverage this weakness to conduct reconnaissance activities against internal services, potentially discovering additional vulnerabilities within the network infrastructure. When internal HTTP resources are accessible, the vulnerability could facilitate privilege escalation or data exfiltration attacks, particularly in environments where cloud metadata services are reachable from the AVideo server. The implications are particularly severe in cloud deployments where metadata endpoints often contain sensitive credentials and configuration data that could be exploited for further compromise.
Security practitioners should consider this vulnerability in the context of ATT&CK framework tactic TA0011 - Command and Control, where adversaries establish communication channels to control compromised systems. The vulnerability also relates to TA0007 - Credential Access, as attackers may gain access to internal resources that contain authentication credentials. Organizations running AVideo platforms should immediately implement mitigations including patching to commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3, which addresses the root cause by implementing proper input validation and authentication requirements for the test.php endpoint. Network segmentation measures and firewall rules should be implemented to restrict access to internal services from the AVideo server, while monitoring should be enabled to detect suspicious HTTP request patterns that may indicate exploitation attempts. The vulnerability demonstrates the importance of implementing proper access controls and input validation in web applications to prevent unauthorized server-side operations that could compromise network security boundaries.