CVE-2026-33716 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{"error": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability identified as CVE-2026-33716 affects the WWBN AVideo platform, specifically targeting versions up to and including 26.0. This open source video platform provides live streaming capabilities through its web interface, making it susceptible to attacks that could compromise the integrity and security of live broadcast operations. The issue resides in the standalone live stream control endpoint located at plugin/Live/standAloneFiles/control.json.php, which serves as a critical interface for managing live stream operations within the platform's architecture. The vulnerability represents a significant security flaw that undermines the authentication mechanisms designed to protect live stream operations.
The technical flaw manifests through the improper handling of the streamerURL parameter within the control.json.php endpoint. This parameter is intended to specify the URL where token verification requests should be sent, but the implementation fails to validate or sanitize user-supplied input. When an attacker supplies a malicious streamerURL parameter, the system accepts this input without proper verification and redirects all token verification requests to the attacker-controlled server. This design flaw creates a path for arbitrary code execution and unauthorized access to live streaming controls. The vulnerability is classified under CWE-20 as "Improper Input Validation," which specifically addresses the failure to properly validate input parameters that can lead to security breaches.
The operational impact of this vulnerability is severe and far-reaching for any organization using affected versions of AVideo. An attacker who exploits this vulnerability gains complete unauthenticated control over all live streams within the platform, enabling them to perform critical operations without authorization. This includes dropping active publishers from streams, which could disrupt ongoing broadcasts, starting or stopping stream recordings, which could result in data loss or manipulation, and probing stream existence, which could reveal sensitive information about platform usage patterns. The attack vector allows for comprehensive stream manipulation and surveillance capabilities, potentially affecting multiple concurrent streams simultaneously. This vulnerability directly maps to several tactics in the MITRE ATT&CK framework, particularly including T1078 for valid accounts and T1566 for credential harvesting through manipulation of authentication mechanisms.
The security implications extend beyond simple unauthorized access to include potential data integrity compromise and service disruption. Attackers could leverage this vulnerability to perform stream hijacking, where they take control of active broadcasts, or to conduct denial-of-service attacks by dropping legitimate publishers. The ability to probe stream existence also provides reconnaissance capabilities that could be used to map platform infrastructure and identify high-value targets for further attacks. Organizations using affected versions of AVideo should immediately implement mitigation strategies, including patching to the fixed version referenced in commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128. Additionally, network-level restrictions should be implemented to limit access to the vulnerable endpoint, and monitoring should be enhanced to detect suspicious parameter usage patterns. The vulnerability highlights the importance of proper input validation and authentication flow management in web applications, particularly those handling real-time streaming data where the consequences of security breaches can be immediate and impactful.