CVE-2026-33688 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned — at scale and without solving any captcha — by observing three distinct JSON error responses. Commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contains a patch.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability described in CVE-2026-33688 affects the WWBN AVideo platform version 26.0 and earlier, specifically targeting the password recovery functionality exposed through the userRecoverPass.php endpoint. This issue represents a critical security flaw that undermines the platform's authentication security model by enabling account enumeration attacks. The vulnerability stems from the improper order of validation checks within the password recovery workflow, where the system performs user existence verification and account status checks before requiring captcha validation. This design flaw creates a significant information disclosure risk that directly violates security best practices for authentication systems.
The technical implementation of this vulnerability allows attackers to systematically determine the existence and status of user accounts through three distinct JSON error responses that are returned by the system. These responses provide attackers with specific information about whether a username exists, whether the account is active, inactive, or banned, enabling them to build comprehensive user account profiles without solving any captchas. The vulnerability operates at the application layer and specifically targets the authentication and account management components of the platform, making it particularly dangerous for systems that rely on user account security. The flaw demonstrates a classic case of insecure direct object reference vulnerability where the system's response behavior inadvertently reveals sensitive information about its internal state.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables attackers to conduct large-scale enumeration campaigns that can be automated and scaled. This capability allows for systematic account harvesting that could lead to targeted brute force attacks, social engineering campaigns, or further exploitation attempts against identified accounts. The vulnerability affects the platform's overall security posture by weakening the protection mechanisms designed to prevent unauthorized access and account takeover attempts. Organizations relying on this platform face increased risk of credential stuffing attacks, where enumerated accounts can be tested against compromised password lists, and potential account hijacking due to the exposed account status information.
The root cause of this vulnerability aligns with CWE-200, which describes improper output handling that leads to information exposure, and represents a failure to implement proper input validation and access control mechanisms. The vulnerability also maps to ATT&CK technique T1078.004, which covers legitimate credentials, as it enables adversaries to obtain valid account information that can be used for further unauthorized access attempts. The fix implemented in commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 addresses this issue by reordering the validation checks to ensure that captcha verification occurs before account existence and status checks, preventing unauthorized enumeration while maintaining legitimate user functionality.
Organizations using WWBN AVideo version 26.0 or earlier should immediately implement the patch referenced in the commit to address this vulnerability. The mitigation strategy should include monitoring for suspicious authentication patterns and implementing additional rate limiting mechanisms to prevent automated enumeration attempts. Security teams should also review their account recovery workflows and ensure that all validation checks are properly ordered to prevent similar issues in other components. The vulnerability highlights the importance of following security principles such as defense in depth and least privilege access, where sensitive operations should not reveal information about internal system state without proper authentication and authorization. Regular security assessments and code reviews should be conducted to identify and remediate similar issues that may exist in other authentication and account management components of the platform.