CVE-2026-33038
Published: 20 March 2026
Summary
CVE-2026-33038 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Wwbn Avideo. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identification and authentication prior to permitting critical actions like unauthenticated application initialization and admin account creation via the install/checkConfiguration.php endpoint.
Enforces approved access control policies to block unauthorized POST requests that perform database setup, admin creation, and configuration writes on uninitialized deployments.
Requires identification and authentication for non-organizational users or processes, preventing remote attackers from completing installation with attacker-controlled credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated remote code path in a public-facing web application's installation endpoint (checkConfiguration.php) that directly enables initial access and full admin takeover on uninitialized instances, mapping to T1190 Exploit Public-Facing Application.
NVD Description
WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated…
more
POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.
Deeper analysisAI
CVE-2026-33038 is a critical vulnerability in WWBN AVideo, an open source video platform, affecting versions 25.0 and below. The issue resides in the install/checkConfiguration.php endpoint, which enables unauthenticated application takeover. This endpoint handles full application initialization—including database setup, admin account creation, and configuration file writing—directly from unauthenticated POST input. Its sole safeguard is verifying whether videos/configuration.php already exists, leaving uninitialized deployments exposed.
Remote attackers with no privileges can exploit this vulnerability on uninitialized AVideo instances by submitting a POST request with attacker-controlled parameters. Successful exploitation completes the installation process using the attacker's specified credentials and database details, granting full administrative access to the platform. The CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) underscores the high confidentiality, integrity, and availability impacts, with attack complexity elevated due to the need for an uninitialized state. It is associated with CWE-306 (Missing Authentication for Critical Function).
The vulnerability has been fixed in AVideo version 26.0. Security practitioners should upgrade to this version immediately on affected deployments. Additional details are available in the GitHub security advisory at GHSA-2f9h-23f7-8gcx and the patching commit b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1.
Details
- CWE(s)