CVE-2026-33037

HighPublic PoC

Published: 20 March 2026

Published

20 March 2026

Modified

23 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0048 65.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33037 is a high-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Wwbn Avideo. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 34.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 directly requires changing default authenticators prior to first use and enforcing authenticator quality requirements, preventing exploitation of hardcoded weak 'password' and MD5-hashed credentials.

CM-6 Configuration Settings good match

prevent

CM-6 mandates identifying, documenting, and deploying secure configuration settings for software products, ensuring overrides for default admin and database credentials in Docker deployment files.

CM-2 Baseline Configuration partial match

prevent

CM-2 requires developing and maintaining baseline configurations under change control that exclude insecure defaults, addressing the root cause of unhardened deployments.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Hardcoded default admin credentials enable use of default accounts (T1078.001) for unauthenticated remote access to the public-facing web application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to "password", which is automatically used to seed the admin account during installation, meaning…

any instance deployed without overriding SYSTEM_ADMIN_PASSWORD is immediately vulnerable to trivial administrative takeover. No compensating controls exist: there is no forced password change on first login, no complexity validation, no default-password detection, and the password is hashed with weak MD5. Full admin access enables user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management. The same insecure-default pattern extends to database credentials (avideo/avideo), compounding the risk. Exploitation depends on operators failing to change the default, a condition likely met in quick-start, demo, and automated deployments. This issue has been fixed in version 26.0.

Deeper analysisAI

CVE-2026-33037 is an insecure default configuration vulnerability (CWE-1188) in WWBN AVideo, an open source video platform, affecting versions 25.0 and below. The official Docker deployment files (docker-compose.yml and env.example) ship with the admin password hardcoded as "password", which automatically seeds the admin account during installation. Deployments that do not override the SYSTEM_ADMIN_PASSWORD environment variable are vulnerable to immediate administrative takeover. No compensating controls exist, such as forced password changes on first login, complexity validation, or default-password detection, and the password is hashed using weak MD5. The vulnerability extends to default database credentials (avideo/avideo), further compounding the risk.

Remote attackers with no privileges (AV:N/PR:N) can exploit this vulnerability by authenticating with the publicly known default credentials, assuming the target instance was deployed without customization—a scenario likely in quick-start, demo, or automated environments. Successful exploitation grants full administrative access (CVSS 8.1: C:H/I:H/A:H), allowing user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management. The high attack complexity (AC:H) stems from reliance on operators failing to change defaults.

The vulnerability has been addressed in AVideo version 26.0. Mitigation involves upgrading to version 26.0 and ensuring all deployments override default credentials, particularly SYSTEM_ADMIN_PASSWORD and database passwords. Additional details are available in the GitHub security advisory (GHSA-89rv-p523-6wg9) and the fixing commit (2075fac1a51f21fab5d8592235a095aa354a9de6).

Details

CWE(s): CWE-1188

Affected Products

wwbn

avideo

≤ 26.0

CVEs Like This One

CVE-2026-28501Same product: Wwbn Avideo

CVE-2026-33716Same product: Wwbn Avideo

CVE-2026-40925Same product: Wwbn Avideo

CVE-2026-33479Same product: Wwbn Avideo

CVE-2026-41057Same product: Wwbn Avideo

CVE-2026-41056Same product: Wwbn Avideo

CVE-2026-33513Same product: Wwbn Avideo

CVE-2026-33770Same product: Wwbn Avideo

CVE-2026-33297Same product: Wwbn Avideo

CVE-2026-33292Same product: Wwbn Avideo

References

https://github.com/WWBN/AVideo/commit/2075fac1a51f21fab5d8592235a095aa354a9de6
Patch · security-advisories@github.com
https://github.com/WWBN/AVideo/security/advisories/GHSA-89rv-p523-6wg9
Exploit, Vendor Advisory · security-advisories@github.com