CVE-2026-33038 Overview
CVE-2026-33038 is an authentication bypass vulnerability in WWBN AVideo, an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. This endpoint performs full application initialization including database setup, admin account creation, and configuration file write operations—all accepting unauthenticated POST input. The vulnerability allows remote attackers to completely hijack uninitialized AVideo deployments by completing the installation process with attacker-controlled credentials.
Critical Impact
Remote attackers can gain full administrative access to uninitialized AVideo deployments by exploiting the installation endpoint, potentially compromising all video content, user data, and server resources.
Affected Products
- WWBN AVideo versions 25.0 and below
Discovery Timeline
- 2026-03-20 - CVE-2026-33038 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33038
Vulnerability Analysis
The vulnerability exists in the install/checkConfiguration.php endpoint of WWBN AVideo. This endpoint is responsible for performing the initial application setup including database configuration, administrator account creation, and writing configuration files. The critical flaw is that all these sensitive operations accept unauthenticated POST input without proper access controls.
The only security measure in place is a check for whether the videos/configuration.php file already exists. However, on fresh or uninitialized deployments where this configuration file has not yet been created, any remote attacker can access the installation endpoint and complete the setup process with their own malicious parameters. This allows attackers to specify their own administrator credentials and even point the application to an attacker-controlled database.
This represents a classic case of Missing Authentication for Critical Function (CWE-306), where security-sensitive functionality is exposed without requiring authentication.
Root Cause
The root cause is the lack of authentication enforcement on the install/checkConfiguration.php endpoint. The installation script relies solely on the existence of a configuration file as a guard against unauthorized access, which is insufficient for deployments that have not yet completed initial setup. The design fails to implement proper access controls or authentication mechanisms to protect the critical initialization functionality.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can remotely access the vulnerable installation endpoint via HTTP POST requests. The exploitation scenario involves:
- Scanning for AVideo installations that have not completed initial setup
- Accessing the install/checkConfiguration.php endpoint directly
- Submitting a POST request with attacker-controlled parameters for database connection, administrator username, and password
- Gaining full administrative access to the application with the newly created attacker credentials
The attacker can then leverage administrative access to upload malicious content, access sensitive user data, modify platform settings, or potentially achieve further system compromise depending on server configuration.
Detection Methods for CVE-2026-33038
Indicators of Compromise
- Unexpected HTTP requests to /install/checkConfiguration.php from external IP addresses
- Unauthorized administrator accounts appearing in the AVideo user database
- Changes to videos/configuration.php without authorized administrator action
- Database connection settings pointing to external or unknown database servers
Detection Strategies
- Monitor web server access logs for requests targeting /install/checkConfiguration.php
- Implement alerts for any POST requests to installation-related endpoints on production systems
- Regularly audit administrator accounts for unauthorized entries
- Use file integrity monitoring on critical configuration files including videos/configuration.php
Monitoring Recommendations
- Deploy web application firewall (WAF) rules to block access to installation directories on initialized deployments
- Configure intrusion detection systems to alert on access attempts to /install/ paths
- Implement network monitoring to detect unusual outbound connections from the AVideo server
How to Mitigate CVE-2026-33038
Immediate Actions Required
- Upgrade WWBN AVideo to version 26.0 or later immediately
- Remove or restrict access to the /install/ directory on production deployments
- Audit existing administrator accounts for unauthorized entries
- Review configuration files for unexpected modifications
Patch Information
The vulnerability has been fixed in WWBN AVideo version 26.0. The security fix is available in commit b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1. Organizations should upgrade to the latest version to remediate this vulnerability.
For detailed information about the fix, refer to the GitHub commit and the GitHub Security Advisory GHSA-2f9h-23f7-8gcx.
Workarounds
- Block access to the /install/ directory at the web server level using .htaccess rules or server configuration
- Implement network-level access controls to restrict access to AVideo installation endpoints
- If unable to upgrade immediately, manually create a placeholder videos/configuration.php file to prevent exploitation on uninitialized systems
# Block access to install directory in Apache (.htaccess)
<Directory "/var/www/avideo/install">
Require all denied
</Directory>
# Or for Nginx, add to server block:
# location /install/ {
# deny all;
# return 403;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
