CVE-2026-33650 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability in WWBN AVideo version 26.0 and earlier represents a critical privilege escalation flaw that undermines the platform's access control mechanisms. This security issue affects users with the "Videos Moderator" role who are ostensibly limited to changing video publicity status such as Active, Inactive, or Unlisted. The flaw manifests through a design inconsistency in the authorization framework where the system fails to properly enforce role-based access controls. The root cause lies in the improper use of the `Permissions::canModerateVideos()` function which serves as an authorization gate for full video editing operations in the `videoAddNew.json.php` endpoint, while the `videoDelete.json.php` endpoint only validates ownership without proper permission verification. This asymmetric authorization boundary creates a exploitable condition where moderators can manipulate the system's access controls.
The technical exploitation of this vulnerability follows a two-step process that demonstrates the dangerous nature of the privilege escalation. First, the moderator would use their limited permissions to transfer ownership of any video to themselves through the video moderation functions. This transfer operation bypasses normal ownership restrictions due to the flawed authorization check in `videoAddNew.json.php`. Once ownership is transferred, the same user can then delete the video through `videoDelete.json.php` because the deletion endpoint only checks ownership rather than verifying proper authorization levels. This pattern creates a clear attack vector where users with restricted permissions can effectively gain full administrative capabilities over video content. The vulnerability specifically affects the platform's core content management functions and represents a failure in the principle of least privilege enforcement.
The operational impact of this vulnerability extends beyond simple unauthorized content deletion to encompass complete control over the video platform's content management system. Moderators could potentially remove any video content from the platform, transfer ownership of videos to themselves, and then delete them, effectively allowing for content destruction and manipulation. This could result in significant data loss, content tampering, and potential reputational damage to the platform. The vulnerability also exposes the underlying architecture to more sophisticated attacks where malicious users could exploit the privilege escalation to perform additional unauthorized operations that might not be immediately apparent. The issue represents a fundamental flaw in the platform's security model and demonstrates the importance of proper authorization boundary enforcement.
Security mitigations for this vulnerability should focus on implementing proper authorization checks across all video management operations. The patch referenced in commit 838e16818c793779406ecbf34ebaeba9830e33f8 addresses the specific authorization inconsistency by ensuring that all video management functions properly validate user permissions rather than relying on flawed permission checks. Organizations should implement comprehensive access control reviews and ensure that authorization boundaries are consistently enforced across all platform functions. The vulnerability aligns with CWE-285 which addresses improper authorization issues, and represents a clear violation of the principle of least privilege as outlined in NIST SP 800-53. Security teams should conduct thorough audits of permission systems and ensure that all endpoints properly validate user roles and permissions before executing sensitive operations. The fix should also include logging and monitoring capabilities to detect unauthorized privilege escalation attempts and provide visibility into potential exploitation attempts.