CVE-2026-33719
Published: 23 March 2026
Summary
CVE-2026-33719 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Wwbn Avideo. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Limits critical functions like CDN configuration modification to those requiring identification and authentication, directly addressing the missing authentication for these endpoints.
Enforces approved authorizations to prevent unauthenticated attackers from accessing and modifying CDN plugin endpoints.
Validates information inputs such as the 'par' parameter to mitigate mass-assignment vulnerabilities enabling configuration overwrites.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is in public-facing CDN plugin endpoints with missing authentication, allowing unauthenticated remote exploitation for arbitrary configuration modification (e.g., storage credentials), directly mapping to Exploit Public-Facing Application.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key…
more
has not been configured (the default state), the key validation check is completely bypassed, allowing any unauthenticated attacker to modify the full CDN configuration — including CDN URLs, storage credentials, and the authentication key itself — via mass-assignment through the `par` request parameter. Commit adeff0a31ba04a56f411eef256139fd7ed7d4310 contains a patch.
Deeper analysisAI
CVE-2026-33719 affects WWBN AVideo, an open source video platform, in versions up to and including 26.0. The vulnerability resides in the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php`, which implement key-based authentication using an empty string as the default key. When the CDN plugin is enabled but the key remains unconfigured in its default state, the validation check is entirely bypassed. This enables mass-assignment vulnerabilities through the `par` request parameter, allowing unauthorized modification of the complete CDN configuration.
Any unauthenticated attacker can exploit this vulnerability remotely with low complexity and no privileges, as indicated by the CVSS 3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L) and associated CWE-306 (Missing Authentication for Critical Function). Successful exploitation grants the ability to alter critical CDN settings, such as URLs, storage credentials, and the authentication key itself, potentially leading to unauthorized access to video storage, data exfiltration, or further compromise of the platform's infrastructure.
The patch is available in commit adeff0a31ba04a56f411eef256139fd7ed7d4310 on the WWBN/AVideo GitHub repository. Additional details are provided in the GitHub security advisory GHSA-r64r-883r-wcwh, which security practitioners should review for mitigation guidance and upgrade instructions.
Details
- CWE(s)