CVE-2026-33037 Overview
CVE-2026-33037 is an insecure default configuration vulnerability in WWBN AVideo, an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to "password", which is automatically used to seed the admin account during installation. This means any instance deployed without overriding SYSTEM_ADMIN_PASSWORD is immediately vulnerable to trivial administrative takeover.
No compensating controls exist: there is no forced password change on first login, no complexity validation, no default-password detection, and the password is hashed with weak MD5. Full admin access enables user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management. The same insecure-default pattern extends to database credentials (avideo/avideo), compounding the risk.
Critical Impact
Administrative takeover of AVideo instances using default credentials enables full platform compromise including user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management.
Affected Products
- WWBN AVideo versions 25.0 and below
- Docker deployments using default docker-compose.yml and env.example configurations
- Instances where SYSTEM_ADMIN_PASSWORD was not overridden during deployment
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-33037 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33037
Vulnerability Analysis
This vulnerability represents a classic insecure default configuration issue (CWE-1188) that creates immediate security exposure upon deployment. The flaw exists in the official Docker deployment configuration files where the SYSTEM_ADMIN_PASSWORD environment variable defaults to the trivially guessable value "password". This credential is then used to seed the administrative account during the installation process.
The vulnerability is particularly dangerous because it affects the recommended deployment method (Docker), meaning users following official documentation are exposed by default. The attack vector is network-accessible, allowing remote attackers to authenticate to the administrative interface using the known default credentials without any prior access to the system.
Successful exploitation grants complete administrative control over the AVideo platform. An attacker can access and exfiltrate user data, manipulate video content and metadata, and potentially achieve remote code execution through the platform's file upload functionality and plugin management system. The use of weak MD5 hashing for password storage further compounds the security weakness.
Root Cause
The root cause is the shipping of hardcoded default credentials in the official Docker deployment configuration files. The env.example file contained SYSTEM_ADMIN_PASSWORD=password, and no validation or warning mechanism existed to detect or prevent the use of this insecure default. The lack of forced password change on first login, password complexity requirements, and default credential detection allowed this vulnerability to persist into production deployments.
Attack Vector
The attack is trivial to execute: an attacker simply navigates to the AVideo administrative login interface and authenticates using the username admin with password password. This is a network-based attack requiring no authentication, no user interaction, and low complexity. The condition for exploitation is that operators fail to change the default credentials—a condition likely met in quick-start, demo, and automated deployments.
fi
echo "entrypoint -- Checking configuration..."
+if [ -z "${SYSTEM_ADMIN_PASSWORD}" ] || [ "${SYSTEM_ADMIN_PASSWORD}" = "password" ]; then
+ echo "WARNING: SYSTEM_ADMIN_PASSWORD is not set or uses the insecure default."
+ echo " The installer will generate a random password."
+ echo " Retrieve it from container logs or videos/.initial_admin_password."
+fi
cd /var/www/html/AVideo/install/
php ./cli.php
cd /var/www/html/AVideo/
Source: GitHub Commit 2075fac1a51f21fab5d8592235a095aa354a9de6
The patch adds detection for empty or default passwords and automatically generates a random password when insecure defaults are detected, storing it in videos/.initial_admin_password for administrator retrieval.
Detection Methods for CVE-2026-33037
Indicators of Compromise
- Successful authentication attempts to the admin panel from unexpected IP addresses
- Creation of new administrator accounts or modification of existing admin credentials
- Unexpected file uploads through the administrative interface, particularly in plugin directories
- Database access logs showing queries to user tables or credential modifications
- Changes to site configuration or content management settings without authorized administrator activity
Detection Strategies
- Audit environment configuration files to verify SYSTEM_ADMIN_PASSWORD is not set to password or left empty
- Monitor authentication logs for login attempts using the admin username from external networks
- Implement alerting on successful admin logins from new or unexpected source IP addresses
- Review container logs for the warning message indicating insecure default password usage
Monitoring Recommendations
- Enable verbose logging on the AVideo administrative interface
- Configure SIEM rules to detect multiple authentication attempts to admin endpoints
- Implement geo-IP blocking or allowlisting for administrative access
- Set up alerts for any new administrative user creation or privilege escalation events
How to Mitigate CVE-2026-33037
Immediate Actions Required
- Change the SYSTEM_ADMIN_PASSWORD in your environment configuration to a strong, unique password immediately
- Review administrative access logs for any unauthorized login activity since deployment
- Audit for any unauthorized administrative accounts, uploaded files, or configuration changes
- Update database credentials from the default avideo/avideo to unique, strong credentials
- Restart the AVideo container after making credential changes to ensure they take effect
Patch Information
This vulnerability has been fixed in AVideo version 26.0. The patch modifies the Docker entrypoint script to detect when SYSTEM_ADMIN_PASSWORD is empty or set to the insecure default value password. When detected, the installer now automatically generates a random password and logs a warning message. The generated password is saved to videos/.initial_admin_password for administrator retrieval.
Users should upgrade to version 26.0 or later. The security advisory and patch details are available in the GitHub Security Advisory GHSA-89rv-p523-6wg9 and the commit implementing the fix.
Workarounds
- Set a strong, unique SYSTEM_ADMIN_PASSWORD in your env file before deployment
- Restrict network access to the administrative interface using firewall rules or reverse proxy configuration
- Implement IP allowlisting for administrative endpoints
- Enable multi-factor authentication if supported by your deployment configuration
- Change default database credentials (avideo/avideo) to unique values
# Configuration example - Set strong credentials in your .env file
SYSTEM_ADMIN_PASSWORD=YourStrongUniquePassword123!
# Also update default database credentials
MYSQL_USER=custom_db_user
MYSQL_PASSWORD=AnotherStrongPassword456!
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
