Cyber Resilience

CVE-2026-33650

HighPublic PoC

Published: 23 March 2026

Published
23 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
EPSS Score 0.0004 13.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33650 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Wwbn Avideo. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-33650 is an authorization bypass vulnerability in WWBN AVideo, an open source video platform. Affected versions are up to and including 26.0. A user with the "Videos Moderator" permission, documented as limited to changing video publicity status (Active, Inactive, Unlisted), can instead escalate privileges to perform full video management operations, such as transferring ownership or deleting any video. The issue stems from inconsistent authorization checks: `Permissions::canModerateVideos()` serves as the gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only verifies ownership, enabling exploitation (CWE-863).

An authenticated attacker with Videos Moderator privileges can exploit this over the network with low complexity and no user interaction. The attack involves a two-step chain: first, use the moderate permission to transfer ownership of a target video via `videoAddNew.json.php`, then delete it via `videoDelete.json.php` now that ownership is held. This grants control over arbitrary videos, potentially leading to data loss or manipulation, as reflected in the CVSS v3.1 score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L).

The GitHub security advisory (GHSA-8x77-f38v-4m5j) and patch commit 838e16818c793779406ecbf34ebaeba9830e33f8 detail the fix, which addresses the asymmetric checks to properly restrict Videos Moderator actions. Security practitioners should upgrade to a patched version beyond 26.0 and review user permissions in existing deployments.

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video…

more

— despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Authorization bypass (CWE-863) in videoAddNew.json.php and videoDelete.json.php allows a Videos Moderator account to perform unauthorized ownership transfer and deletion, directly enabling privilege escalation from limited to full video management rights.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33649Same product: Wwbn Avideo
CVE-2026-33502Same product: Wwbn Avideo
CVE-2025-36548Same product: Wwbn Avideo
CVE-2026-33488Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-34374Same product: Wwbn Avideo
CVE-2026-33492Same product: Wwbn Avideo
CVE-2026-33647Same product: Wwbn Avideo
CVE-2026-34375Same product: Wwbn Avideo
CVE-2026-27732Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 26.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires enforcement of approved authorizations across all video management endpoints, directly preventing the asymmetric checks that allowed Videos Moderator privilege escalation to ownership transfer and deletion.

prevent

Mandates least privilege for roles like Videos Moderator, restricting them to documented publicity changes and blocking access to full video editing and deletion functions.

preventrecover

Directly mitigates the authorization bypass flaw by requiring identification, reporting, and timely remediation through patching, as implemented in commit 838e168.

References