Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33043

CVE-2026-33043: Wwbn Avideo Auth Bypass Vulnerability

CVE-2026-33043 is an authentication bypass flaw in Wwbn Avideo that exposes PHP session IDs, enabling cross-origin session theft and account takeover. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-33043 Overview

WWBN AVideo, an open source video platform, contains a critical Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability that enables cross-origin session theft and full account takeover. The vulnerability exists in versions 25.0 and below, where the /objects/phpsessionid.json.php endpoint exposes the current PHP session ID to any unauthenticated request. Combined with an improperly implemented allowOrigin() function that reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, attackers can steal user sessions from any malicious third-party website.

Critical Impact

Unauthenticated attackers can leverage this CORS misconfiguration to steal authenticated user sessions and achieve full account takeover by hosting a malicious webpage that makes credentialed cross-origin requests to the vulnerable AVideo instance.

Affected Products

  • WWBN AVideo versions 25.0 and below
  • AVideo installations with default CORS configuration
  • Self-hosted AVideo instances exposed to the internet

Discovery Timeline

  • 2026-03-20 - CVE-2026-33043 published to NVD
  • 2026-03-23 - Last updated in NVD database

Technical Details for CVE-2026-33043

Vulnerability Analysis

This vulnerability is classified as CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). The core issue stems from two interrelated security flaws in the AVideo platform's session handling and CORS implementation.

The first flaw is the exposure of sensitive session information. The endpoint /objects/phpsessionid.json.php directly returns the PHP session ID in JSON format without any authentication check. Any request to this endpoint receives the current session identifier in the response body.

The second flaw is the permissive CORS configuration. The allowOrigin() function blindly reflects whatever Origin header is provided in the request back as the Access-Control-Allow-Origin response header. When combined with Access-Control-Allow-Credentials: true, this creates a perfect storm for cross-origin credential theft. The browser's same-origin policy, which would normally prevent such attacks, is bypassed because the server explicitly permits credentials from any origin.

Root Cause

The root cause is twofold: first, the phpsessionid.json.php endpoint was designed to be consumed only by same-origin JavaScript but lacked proper origin validation. Second, the allowOrigin() function in objects/functions.php implemented a dangerous pattern of reflecting arbitrary origins without validation against a whitelist or the site's own origin. This combination violates OWASP guidelines A01 (Broken Access Control) and A05 (Security Misconfiguration).

Attack Vector

The attack requires user interaction—specifically, a victim must visit an attacker-controlled webpage while authenticated to the vulnerable AVideo instance. The attacker's malicious page makes a credentialed cross-origin request to /objects/phpsessionid.json.php. Because the server reflects the attacker's origin with credentials allowed, the browser permits the attacker's JavaScript to read the response containing the victim's session ID. The attacker can then hijack the session and gain full access to the victim's account.

php
// Vulnerable code pattern in objects/phpsessionid.json.php (before fix)
// This endpoint returned session IDs with permissive CORS headers
global $global, $config;
$doNotConnectDatabaseIncludeConfig = 1;
require_once __DIR__.'/../videos/configuration.php';
allowOrigin();  // Reflected any Origin with credentials: true
header('Content-Type: application/json');

$obj = new stdClass();
$obj->phpsessid = session_id();  // Exposed sensitive session ID

echo _json_encode($obj);

Source: GitHub Commit Update

Detection Methods for CVE-2026-33043

Indicators of Compromise

  • Unusual cross-origin requests to /objects/phpsessionid.json.php from external domains in web server access logs
  • Unexpected session activity or account access from IP addresses or geolocations inconsistent with legitimate user behavior
  • Multiple session ID requests originating from different referrer domains within short time windows

Detection Strategies

  • Implement web application firewall (WAF) rules to monitor and alert on requests to /objects/phpsessionid.json.php containing external Origin headers
  • Review web server access logs for patterns indicating session harvesting: high volume requests to the vulnerable endpoint with varying Origin headers
  • Deploy anomaly detection for user session activity to identify sessions suddenly being accessed from different networks or geographic locations

Monitoring Recommendations

  • Enable detailed logging for all requests to sensitive endpoints including /objects/phpsessionid.json.php
  • Monitor for session hijacking patterns such as rapid IP address changes within a single session
  • Set up alerts for any cross-origin requests to session-related endpoints with credentials

How to Mitigate CVE-2026-33043

Immediate Actions Required

  • Upgrade WWBN AVideo to version 26.0 or later immediately, as this version contains the security fix
  • If immediate upgrade is not possible, restrict access to /objects/phpsessionid.json.php at the web server level
  • Rotate all active user sessions after applying the patch to invalidate any potentially compromised session IDs
  • Review access logs for any suspicious activity targeting the vulnerable endpoint prior to patching

Patch Information

The vulnerability has been fixed in WWBN AVideo version 26.0. The fix implements two key changes: First, the allowOrigin() function now validates incoming Origin headers against the site's configured origin ($global['webSiteRootURL']) instead of blindly reflecting any origin. Second, the phpsessionid.json.php endpoint no longer calls allowOrigin() at all, relying on the browser's default same-origin policy to protect the sensitive session data. The security patch is available via GitHub Commit 9f4f51e.

Workarounds

  • Block access to /objects/phpsessionid.json.php at the reverse proxy or web server level using access control rules
  • Implement strict Content-Security-Policy headers to limit which origins can embed or interact with your AVideo instance
  • Place the AVideo instance behind a VPN or authentication layer if public access is not required
php
// Fixed CORS validation in objects/functions.php (version 26.0)
// Now validates Origin against the site's configured origin
$siteOrigin = '';
if (!empty($global['webSiteRootURL'])) {
    $parsed = parse_url($global['webSiteRootURL']);
    if (!empty($parsed['scheme']) && !empty($parsed['host'])) {
        $siteOrigin = $parsed['scheme'] . '://' . $parsed['host'];
        if (!empty($parsed['port'])) {
            $siteOrigin .= ':' . $parsed['port'];
        }
    }
}

$requestOrigin = $_SERVER['HTTP_ORIGIN'] ?? '';
$isSameOrigin  = !empty($siteOrigin) && $requestOrigin === $siteOrigin;

// Only allow credentials for same-origin requests
if ($isSameOrigin) {
    header("Access-Control-Allow-Origin: " . $requestOrigin);
    header("Access-Control-Allow-Credentials: true");
}

Source: GitHub Commit Update

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne