CVE-2026-33512
Published: 23 March 2026
Summary
CVE-2026-33512 is a high-severity Improper Authentication (CWE-287) vulnerability in Wwbn Avideo. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prohibits unauthenticated actions like submitting ciphertext to the decryptString API endpoint to recover sensitive plaintext.
Enforces approved authorizations to block unauthorized access to the API plugin's decryption functionality.
Provides protections for publicly accessible endpoints like decryptString to prevent unauthorized recovery of protected tokens and metadata.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote API exposure in public-facing web app directly enables T1190 exploitation; resulting decryption of protected tokens enables T1528 credential theft.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any…
more
user can recover protected tokens/metadata. Commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 contains a patch.
Deeper analysisAI
CVE-2026-33512 affects WWBN AVideo, an open source video platform, in versions up to and including 26.0. The vulnerability resides in the API plugin, which exposes a `decryptString` action without any authentication requirements. This allows anyone to submit ciphertext and receive the corresponding plaintext. Publicly issued ciphertext, such as from endpoints like `view/url2Embed.json.php`, enables recovery of protected tokens and metadata. The issue is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWEs 287 (Improper Authentication), 312 (Cleartext Storage of Sensitive Information), 326 (Inadequate Encryption Strength), and 327 (Use of a Broken or Risky Cryptographic Algorithm).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction. By capturing publicly available ciphertext from AVideo instances and submitting it to the `decryptString` API endpoint, attackers can decrypt sensitive data such as protected tokens and metadata, leading to high confidentiality impacts without affecting integrity or availability.
The patch is available in commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 on the WWBN/AVideo GitHub repository. Additional details are provided in the GitHub security advisory at GHSA-mwjc-5j4x-r686, which recommends updating to a patched version to mitigate the issue.
Details
- CWE(s)