Cyber Resilience

CVE-2026-33649

HighPublic PoC

Published: 23 March 2026

Published
23 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0017 6.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33649 is a high-severity CSRF (CWE-352) vulnerability in Wwbn Avideo. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-11 (Re-authentication) and SC-23 (Session Authenticity).

Deeper analysis

WWBN AVideo, an open source video platform, is affected by CVE-2026-33649 in versions up to and including 26.0. The vulnerability resides in the `plugin/Permissions/setPermission.json.php` endpoint, which accepts GET parameters to perform a state-changing operation that modifies user group permissions. This endpoint lacks CSRF token validation, and the application sets `session.cookie_samesite=None` on session cookies, enabling cross-site request forgery attacks. Rated at CVSS 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and mapped to CWE-352 (Cross-Site Request Forgery), it exposes administrative permission controls to exploitation.

An unauthenticated attacker can exploit this by crafting a malicious webpage containing `<img>` tags that trigger the vulnerable endpoint. When an administrator visits the page—such as via a phishing link or embedded resource—the request silently executes under the admin's session, granting arbitrary permissions to the attacker's user group. This escalates the attacker's privileges to near-administrative levels, potentially allowing unauthorized access to sensitive video content, user data, or platform controls.

The GitHub security advisory (GHSA-g8x9-7mgh-7cvj) confirms no known patched versions are available as of publication on 2026-03-23. Security practitioners should monitor the repository for updates, implement network-level controls to block unauthorized access to the endpoint, and advise admins to avoid untrusted links while considering temporary disabling of the Permissions plugin if feasible.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application…

more

explicitly sets `session.cookie_samesite=None` on session cookies. This allows an unauthenticated attacker to craft a page with `<img>` tags that, when visited by an admin, silently grant arbitrary permissions to the attacker's user group — escalating the attacker to near-admin access. As of time of publication, no known patched versions are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CSRF vuln in public-facing web app endpoint enables unauthorized permission changes on user groups (account manipulation) via crafted cross-origin requests, directly facilitating exploitation for privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40925Same product: Wwbn Avideo
CVE-2026-34394Same product: Wwbn Avideo
CVE-2026-33507Same product: Wwbn Avideo
CVE-2020-37158Same product: Wwbn Avideo
CVE-2026-40926Same product: Wwbn Avideo
CVE-2026-33292Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo
CVE-2026-33770Same product: Wwbn Avideo
CVE-2026-33038Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 26.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires session authenticity mechanisms like CSRF tokens or SameSite cookie restrictions to block unauthorized cross-site requests modifying permissions.

prevent

Enforces re-authentication for privileged actions such as user group permission changes, which unauthenticated CSRF attacks cannot provide.

prevent

Directly addresses flaw remediation by monitoring for and applying patches to the vulnerable setPermission endpoint, as no fixed version is currently available.

References