CVE-2026-33297
Published: 23 March 2026
Summary
CVE-2026-33297 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wwbn Avideo. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring identification, reporting, and correction of the logic error in setPassword.json.php that coerces non-numeric passwords to the guessable integer zero.
Ensures proper management of channel passwords as authenticators, including strength requirements that prevent setting or retaining trivially guessable values like zero.
Requires validation of inputs to the password-setting endpoint to detect and prevent improper processing or coercion of submitted password values.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass flaw in public-facing AVideo web endpoint allows unauthenticated remote attackers to trivially bypass access controls, directly mapping to exploitation of a public-facing application.
NVD Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the `setPassword.json.php` endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value…
more
is processed, any password containing non-numeric characters is silently coerced to the integer zero before being stored. This means that regardless of the intended password, the stored channel password becomes 0, which any visitor can trivially guess to bypass channel-level access control. Version 26.0 contains a patch for the issue.
Deeper analysisAI
CVE-2026-33297 affects WWBN AVideo, an open source video platform, in versions prior to 26.0. The vulnerability resides in the `setPassword.json.php` endpoint of the CustomizeUser plugin, which administrators use to set channel passwords for users. A logic error causes any submitted password containing non-numeric characters to be silently coerced to the integer zero before storage, rendering all channel passwords effectively "0" regardless of the administrator's intent. This flaw, classified under CWE-639 (Authorization Bypass Through User-Controlled Key), has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
The vulnerability enables unauthenticated attackers with network access to trivially bypass channel-level access controls by guessing the password "0". No special privileges, user interaction, or complex conditions are required, allowing remote exploitation over the network with low attack complexity. Successful exploitation grants unauthorized access to protected video channels, resulting in high impacts on confidentiality (e.g., viewing restricted content) and integrity (e.g., potential tampering with channel data).
Version 26.0 of AVideo patches the issue, as detailed in the GitHub commit (https://github.com/WWBN/AVideo/commit/7a6a94631a0a18c313894395e6eb6703cca4abd0) and the associated security advisory (https://github.com/WWBN/AVideo/security/advisories/GHSA-6547-8hrg-c55m). Security practitioners should upgrade to version 26.0 or later and audit existing channel configurations for the default zero password.
Details
- CWE(s)