CVE-2026-33649
Published: 23 March 2026
Summary
CVE-2026-33649 is a high-severity CSRF (CWE-352) vulnerability in Wwbn Avideo. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-11 (Re-authentication) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires session authenticity mechanisms like CSRF tokens or SameSite cookie restrictions to block unauthorized cross-site requests modifying permissions.
Enforces re-authentication for privileged actions such as user group permission changes, which unauthenticated CSRF attacks cannot provide.
Directly addresses flaw remediation by monitoring for and applying patches to the vulnerable setPermission endpoint, as no fixed version is currently available.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vuln in public-facing web app endpoint enables unauthorized permission changes on user groups (account manipulation) via crafted cross-origin requests, directly facilitating exploitation for privilege escalation.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application…
more
explicitly sets `session.cookie_samesite=None` on session cookies. This allows an unauthenticated attacker to craft a page with `<img>` tags that, when visited by an admin, silently grant arbitrary permissions to the attacker's user group — escalating the attacker to near-admin access. As of time of publication, no known patched versions are available.
Deeper analysisAI
WWBN AVideo, an open source video platform, is affected by CVE-2026-33649 in versions up to and including 26.0. The vulnerability resides in the `plugin/Permissions/setPermission.json.php` endpoint, which accepts GET parameters to perform a state-changing operation that modifies user group permissions. This endpoint lacks CSRF token validation, and the application sets `session.cookie_samesite=None` on session cookies, enabling cross-site request forgery attacks. Rated at CVSS 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and mapped to CWE-352 (Cross-Site Request Forgery), it exposes administrative permission controls to exploitation.
An unauthenticated attacker can exploit this by crafting a malicious webpage containing `<img>` tags that trigger the vulnerable endpoint. When an administrator visits the page—such as via a phishing link or embedded resource—the request silently executes under the admin's session, granting arbitrary permissions to the attacker's user group. This escalates the attacker's privileges to near-administrative levels, potentially allowing unauthorized access to sensitive video content, user data, or platform controls.
The GitHub security advisory (GHSA-g8x9-7mgh-7cvj) confirms no known patched versions are available as of publication on 2026-03-23. Security practitioners should monitor the repository for updates, implement network-level controls to block unauthorized access to the endpoint, and advise admins to avoid untrusted links while considering temporary disabling of the Permissions plugin if feasible.
Details
- CWE(s)