CVE-2026-33043 Overview
WWBN AVideo, an open source video platform, contains a critical Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability that enables cross-origin session theft and full account takeover. The vulnerability exists in versions 25.0 and below, where the /objects/phpsessionid.json.php endpoint exposes the current PHP session ID to any unauthenticated request. Combined with an improperly implemented allowOrigin() function that reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, attackers can steal user sessions from any malicious third-party website.
Critical Impact
Unauthenticated attackers can leverage this CORS misconfiguration to steal authenticated user sessions and achieve full account takeover by hosting a malicious webpage that makes credentialed cross-origin requests to the vulnerable AVideo instance.
Affected Products
- WWBN AVideo versions 25.0 and below
- AVideo installations with default CORS configuration
- Self-hosted AVideo instances exposed to the internet
Discovery Timeline
- 2026-03-20 - CVE-2026-33043 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33043
Vulnerability Analysis
This vulnerability is classified as CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). The core issue stems from two interrelated security flaws in the AVideo platform's session handling and CORS implementation.
The first flaw is the exposure of sensitive session information. The endpoint /objects/phpsessionid.json.php directly returns the PHP session ID in JSON format without any authentication check. Any request to this endpoint receives the current session identifier in the response body.
The second flaw is the permissive CORS configuration. The allowOrigin() function blindly reflects whatever Origin header is provided in the request back as the Access-Control-Allow-Origin response header. When combined with Access-Control-Allow-Credentials: true, this creates a perfect storm for cross-origin credential theft. The browser's same-origin policy, which would normally prevent such attacks, is bypassed because the server explicitly permits credentials from any origin.
Root Cause
The root cause is twofold: first, the phpsessionid.json.php endpoint was designed to be consumed only by same-origin JavaScript but lacked proper origin validation. Second, the allowOrigin() function in objects/functions.php implemented a dangerous pattern of reflecting arbitrary origins without validation against a whitelist or the site's own origin. This combination violates OWASP guidelines A01 (Broken Access Control) and A05 (Security Misconfiguration).
Attack Vector
The attack requires user interaction—specifically, a victim must visit an attacker-controlled webpage while authenticated to the vulnerable AVideo instance. The attacker's malicious page makes a credentialed cross-origin request to /objects/phpsessionid.json.php. Because the server reflects the attacker's origin with credentials allowed, the browser permits the attacker's JavaScript to read the response containing the victim's session ID. The attacker can then hijack the session and gain full access to the victim's account.
// Vulnerable code pattern in objects/phpsessionid.json.php (before fix)
// This endpoint returned session IDs with permissive CORS headers
global $global, $config;
$doNotConnectDatabaseIncludeConfig = 1;
require_once __DIR__.'/../videos/configuration.php';
allowOrigin(); // Reflected any Origin with credentials: true
header('Content-Type: application/json');
$obj = new stdClass();
$obj->phpsessid = session_id(); // Exposed sensitive session ID
echo _json_encode($obj);
Source: GitHub Commit Update
Detection Methods for CVE-2026-33043
Indicators of Compromise
- Unusual cross-origin requests to /objects/phpsessionid.json.php from external domains in web server access logs
- Unexpected session activity or account access from IP addresses or geolocations inconsistent with legitimate user behavior
- Multiple session ID requests originating from different referrer domains within short time windows
Detection Strategies
- Implement web application firewall (WAF) rules to monitor and alert on requests to /objects/phpsessionid.json.php containing external Origin headers
- Review web server access logs for patterns indicating session harvesting: high volume requests to the vulnerable endpoint with varying Origin headers
- Deploy anomaly detection for user session activity to identify sessions suddenly being accessed from different networks or geographic locations
Monitoring Recommendations
- Enable detailed logging for all requests to sensitive endpoints including /objects/phpsessionid.json.php
- Monitor for session hijacking patterns such as rapid IP address changes within a single session
- Set up alerts for any cross-origin requests to session-related endpoints with credentials
How to Mitigate CVE-2026-33043
Immediate Actions Required
- Upgrade WWBN AVideo to version 26.0 or later immediately, as this version contains the security fix
- If immediate upgrade is not possible, restrict access to /objects/phpsessionid.json.php at the web server level
- Rotate all active user sessions after applying the patch to invalidate any potentially compromised session IDs
- Review access logs for any suspicious activity targeting the vulnerable endpoint prior to patching
Patch Information
The vulnerability has been fixed in WWBN AVideo version 26.0. The fix implements two key changes: First, the allowOrigin() function now validates incoming Origin headers against the site's configured origin ($global['webSiteRootURL']) instead of blindly reflecting any origin. Second, the phpsessionid.json.php endpoint no longer calls allowOrigin() at all, relying on the browser's default same-origin policy to protect the sensitive session data. The security patch is available via GitHub Commit 9f4f51e.
Workarounds
- Block access to /objects/phpsessionid.json.php at the reverse proxy or web server level using access control rules
- Implement strict Content-Security-Policy headers to limit which origins can embed or interact with your AVideo instance
- Place the AVideo instance behind a VPN or authentication layer if public access is not required
// Fixed CORS validation in objects/functions.php (version 26.0)
// Now validates Origin against the site's configured origin
$siteOrigin = '';
if (!empty($global['webSiteRootURL'])) {
$parsed = parse_url($global['webSiteRootURL']);
if (!empty($parsed['scheme']) && !empty($parsed['host'])) {
$siteOrigin = $parsed['scheme'] . '://' . $parsed['host'];
if (!empty($parsed['port'])) {
$siteOrigin .= ':' . $parsed['port'];
}
}
}
$requestOrigin = $_SERVER['HTTP_ORIGIN'] ?? '';
$isSameOrigin = !empty($siteOrigin) && $requestOrigin === $siteOrigin;
// Only allow credentials for same-origin requests
if ($isSameOrigin) {
header("Access-Control-Allow-Origin: " . $requestOrigin);
header("Access-Control-Allow-Credentials: true");
}
Source: GitHub Commit Update
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
