CVE-2026-33692 in AVideo
Summary
by MITRE • 07/17/2026
WWBN AVideo is an open source video platform. Versions prior to 29.0 expose .env files to unauthenticated users through the official Docker compose configuration. The official docker-compose.yml mounts the entire project root directory as the Apache document root, causing the .env file — which contains database credentials, admin passwords, and infrastructure configuration — to be served as a static file at /.env. No .htaccess rule or Apache configuration blocks access to dotfiles. Exploitation enables direct database access, admin panel takeover, and further lateral movement within the Docker network. This issue has been resolved in version 29.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability in AVideo versions prior to 29.0 represents a critical misconfiguration that exposes sensitive environment files to unauthorized users through improper containerization practices. This flaw stems from the official docker-compose.yml configuration that mounts the entire project root directory as the Apache document root, creating an attack surface where any file within the mounted volume becomes accessible via HTTP requests. The .env file, which contains database credentials, admin passwords, and infrastructure configuration details, is served as a static file at the root path /.env without any access controls or restrictions. This misconfiguration directly violates security best practices for containerized applications and demonstrates a fundamental lack of understanding regarding how to properly isolate sensitive configuration data from public web access.
The technical implementation of this vulnerability occurs through Apache's default document root configuration where no .htaccess rules or Apache configuration directives are implemented to block access to dotfiles or sensitive directories. This creates a persistent exposure where any user with network access to the application can simply request /env or similar paths to retrieve critical system information. The flaw aligns with CWE-200, which addresses improper exposure of sensitive information, and represents a classic case of insufficient access control within web applications. The vulnerability also maps to ATT&CK technique T1566, specifically the use of unsecured credentials in exposed configuration files, enabling threat actors to gain unauthorized access to backend systems.
The operational impact of this vulnerability extends far beyond simple information disclosure, providing attackers with direct pathways to compromise the entire system infrastructure. With database credentials exposed through the .env file, attackers can establish direct database connections and potentially exfiltrate or manipulate sensitive data. The presence of admin passwords allows for immediate administrative access to the application interface, enabling full control over user accounts, content management, and system configuration. Additionally, the exposure of infrastructure configuration details provides insights into internal network structures, which facilitates lateral movement within Docker networks and potential attacks on other services running in the same container environment. This vulnerability essentially provides a complete compromise path from initial access to system takeover.
Mitigation strategies for this vulnerability require immediate implementation of proper container security configurations and access controls. The primary solution involves modifying the docker-compose.yml file to ensure that sensitive directories such as .env files are not mounted into the web document root, and that proper Apache configuration is implemented to block access to dotfiles and configuration directories. Security measures should include implementing .htaccess rules or Apache virtual host configurations that explicitly deny access to files beginning with periods, as well as ensuring that environment variables are properly managed outside of the web-accessible directory structure. Organizations should also implement regular security scanning of container configurations and conduct comprehensive penetration testing to identify similar misconfigurations in other services. The fix implemented in version 29.0 demonstrates the importance of proper configuration management and access control implementation in containerized environments, aligning with industry standards for secure container deployment practices and preventing similar exposure scenarios in future releases.