CVE-2026-33716
Published: 23 March 2026
Summary
CVE-2026-33716 is a critical-severity Improper Authentication (CWE-287) vulnerability in Wwbn Avideo. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates the user-supplied `streamerURL` parameter to prevent attackers from redirecting token verification requests to malicious servers that bypass authentication.
Remediates the authentication bypass flaw by timely applying the vendor patch that secures handling of the `streamerURL` parameter.
Enforces logical access controls on the live stream control endpoint to restrict unauthorized actions like dropping publishers or manipulating recordings.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a public-facing web endpoint (control.json.php) that unauthenticated remote attackers can exploit to gain control over live streams, directly enabling T1190: Exploit Public-Facing Application.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can…
more
redirect token verification to a server they control that always returns `{"error": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch.
Deeper analysisAI
CVE-2026-33716 is an authentication bypass vulnerability in WWBN AVideo, an open source video platform. Affecting versions up to and including 26.0, the issue resides in the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php`. This endpoint accepts a user-supplied `streamerURL` parameter that overrides the destination for token verification requests, enabling attackers to redirect these requests to a malicious server.
Any unauthenticated attacker with network access can exploit this vulnerability by controlling a server that responds to verification requests with `{"error": false}`, fully bypassing authentication checks. Successful exploitation grants complete control over any live stream on the platform, allowing actions such as dropping active publishers, starting or stopping recordings, and probing for stream existence. The vulnerability has a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H) and is associated with CWE-287 (Improper Authentication).
The GitHub security advisory (GHSA-9hv9-gvwm-95f2) and commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 detail the patch, which addresses the insecure handling of the `streamerURL` parameter to prevent unauthorized overrides and ensure proper token verification. Security practitioners should update to a patched version beyond 26.0 and review configurations for exposed live stream endpoints.
Details
- CWE(s)