CVE-2026-33649 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application explicitly sets `session.cookie_samesite=None` on session cookies. This allows an unauthenticated attacker to craft a page with `<img>` tags that, when visited by an admin, silently grant arbitrary permissions to the attacker's user group — escalating the attacker to near-admin access. As of time of publication, no known patched versions are available.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability identified as CVE-2026-33649 affects the WWBN AVideo platform, an open source video management system that has been widely adopted for hosting and managing video content. This particular flaw exists within the plugin permissions system, specifically in the `plugin/Permissions/setPermission.json.php` endpoint which handles user group permission modifications. The vulnerability represents a critical security flaw that undermines the platform's access control mechanisms and could potentially allow attackers to gain administrative privileges. The affected version 26.0 and earlier releases contain this weakness that stems from inadequate input validation and authentication checks.
The technical implementation of this vulnerability exploits the absence of CSRF token validation in a state-changing endpoint that should require proper authentication and authorization. When an administrator visits a malicious page containing specially crafted `<img>` tags, these tags silently execute the permission modification requests against the vulnerable endpoint. The endpoint accepts GET parameters for permission changes, which is inherently dangerous as GET requests should never be used for operations that modify system state. The application's explicit configuration of `session.cookie_samesite=None` creates an additional attack vector by allowing session cookies to be sent in cross-site requests, effectively bypassing same-site request forgery protections that could otherwise prevent this type of attack.
The operational impact of this vulnerability is severe as it enables unauthenticated attackers to silently escalate their privileges without requiring any authentication credentials. An attacker could craft a malicious webpage containing embedded image tags that, when viewed by an administrator, would grant the attacker's user group elevated permissions. This could result in complete system compromise, allowing unauthorized access to sensitive user data, content management capabilities, and potentially leading to further exploitation within the network. The vulnerability's exploitation is particularly concerning because it requires no prior authentication and can be executed through simple HTML embedding techniques. The lack of patched versions at the time of publication means that organizations using affected versions remain exposed to this persistent threat.
This vulnerability aligns with CWE-352, which describes Cross-Site Request Forgery (CSRF) weaknesses, and demonstrates the importance of implementing proper CSRF protection mechanisms. The flaw also relates to CWE-284, which covers improper access control, as the system fails to properly validate that requests originate from authenticated and authorized users. From an ATT&CK framework perspective, this vulnerability maps to T1078.004 for Valid Accounts and T1548.001 for Abuse of Functionality, as attackers leverage legitimate administrative access paths to escalate privileges. The attack vector follows T1566.001 for Phishing, as the exploitation typically requires social engineering to get administrators to visit malicious pages. Organizations should immediately implement mitigations including enforcing CSRF tokens for all state-changing operations, implementing proper SameSite cookie attributes, and considering rate limiting or additional authentication requirements for permission modification endpoints. The vulnerability also highlights the need for regular security audits and prompt patch management, as the absence of patched versions demonstrates a lack of timely security updates that leaves users exposed to known threats.