CVE-2026-33685 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel names, user IDs, ad campaign names, and impression/click counts. The HTML counterpart (`reports.php`) and CSV export (`getCSV.php`) both correctly enforce `User::isAdmin()`, but the JSON API was left unprotected. Commit daca4ffb1ce19643eecaa044362c41ac2ce45dde contains a patch.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability identified as CVE-2026-33685 affects the WWBN AVideo platform, an open source video management system that has been widely adopted for hosting and distributing multimedia content. This security flaw exists within the plugin architecture specifically in the AD_Server module, where the reports.json.php endpoint lacks proper authentication and authorization controls. The issue impacts all versions up to and including 26.0, representing a significant security gap that exposes sensitive analytics data to unauthorized parties. The vulnerability stems from an inconsistent security implementation where the HTML interface reports.php and CSV export functionality getCSV.php correctly enforce administrative privileges through User::isAdmin() checks, while the JSON API endpoint remains unprotected.
The technical flaw manifests as an authentication bypass vulnerability that allows any remote attacker to access detailed advertising campaign analytics without requiring valid credentials or administrative privileges. This represents a classic case of inadequate access control enforcement, specifically categorized under CWE-285: "Improper Authorization" which falls within the broader category of authentication and authorization weaknesses. The exposed data includes sensitive information such as video titles, user channel names, user IDs, ad campaign names, and quantitative metrics like impression and click counts. This comprehensive data leakage creates a significant privacy and security risk for platform administrators and content creators who rely on the system for their digital content distribution and advertising analytics.
The operational impact of this vulnerability extends beyond simple data exposure, creating potential risks for both platform security and business operations. Attackers can exploit this flaw to gather intelligence about content creators' user bases, advertising strategies, and campaign performance metrics without detection. This information could be leveraged for competitive analysis, targeted attacks against specific users, or even used to craft more sophisticated social engineering campaigns. The vulnerability affects the platform's integrity and confidentiality as defined in the CIA triad, potentially compromising the trust relationship between platform administrators and their users. Additionally, the exposure of user IDs and channel information could enable enumeration attacks against the system's user base, while the advertising data could reveal business strategies and revenue streams to unauthorized parties.
The security implications of this vulnerability align with several ATT&CK framework techniques including T1087.001: "Account Discovery" through the unauthorized access to user information, T1566.001: "Phishing" by enabling attackers to gather information for crafting targeted attacks, and T1528: "Steal Application Access Token" through the exposure of potentially sensitive data that could be used to impersonate legitimate users. The vulnerability also demonstrates poor security by design principles, where the patch commit daca4ffb1ce19643eecaa044362c41ac2ce45dde suggests that the fix involved implementing proper authentication checks to align the JSON endpoint with the existing security controls in other parts of the application. Organizations using affected versions should immediately implement mitigations including applying the patch, reviewing access controls, and monitoring for unauthorized access attempts. The vulnerability serves as a reminder of the critical importance of consistent security implementation across all application endpoints, particularly in API interfaces that may be exposed to untrusted network environments.