CVE-2026-33650
Published: 23 March 2026
Summary
CVE-2026-33650 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Wwbn Avideo. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-33650 is an authorization bypass vulnerability in WWBN AVideo, an open source video platform. Affected versions are up to and including 26.0. A user with the "Videos Moderator" permission, documented as limited to changing video publicity status (Active, Inactive, Unlisted), can instead escalate privileges to perform full video management operations, such as transferring ownership or deleting any video. The issue stems from inconsistent authorization checks: `Permissions::canModerateVideos()` serves as the gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only verifies ownership, enabling exploitation (CWE-863).
An authenticated attacker with Videos Moderator privileges can exploit this over the network with low complexity and no user interaction. The attack involves a two-step chain: first, use the moderate permission to transfer ownership of a target video via `videoAddNew.json.php`, then delete it via `videoDelete.json.php` now that ownership is held. This grants control over arbitrary videos, potentially leading to data loss or manipulation, as reflected in the CVSS v3.1 score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L).
The GitHub security advisory (GHSA-8x77-f38v-4m5j) and patch commit 838e16818c793779406ecbf34ebaeba9830e33f8 detail the fix, which addresses the asymmetric checks to properly restrict Videos Moderator actions. Security practitioners should upgrade to a patched version beyond 26.0 and review user permissions in existing deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14488
Vulnerability details
WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video…
more
— despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass (CWE-863) in videoAddNew.json.php and videoDelete.json.php allows a Videos Moderator account to perform unauthorized ownership transfer and deletion, directly enabling privilege escalation from limited to full video management rights.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires enforcement of approved authorizations across all video management endpoints, directly preventing the asymmetric checks that allowed Videos Moderator privilege escalation to ownership transfer and deletion.
Mandates least privilege for roles like Videos Moderator, restricting them to documented publicity changes and blocking access to full video editing and deletion functions.
Directly mitigates the authorization bypass flaw by requiring identification, reporting, and timely remediation through patching, as implemented in commit 838e168.