CVE-2026-33237 Overview
WWBN AVideo is an open source video platform that contains a Server-Side Request Forgery (SSRF) vulnerability in the Scheduler plugin prior to version 26.0. The vulnerability exists in the run() function within plugin/Scheduler/Scheduler.php, where the admin-configurable callbackURL parameter is validated only by isValidURL() (a URL format check) without being passed through the isSSRFSafeURL() function that blocks requests to RFC-1918 private addresses, loopback interfaces, and cloud metadata endpoints.
Critical Impact
An administrator can configure a scheduled task with an internal network callback URL to perform SSRF attacks against cloud infrastructure metadata services (such as AWS IMDSv1 at 169.254.169.254) or internal APIs not otherwise reachable from the internet.
Affected Products
- WWBN AVideo versions prior to 26.0
- AVideo Scheduler plugin (plugin/Scheduler/Scheduler.php)
- Self-hosted AVideo instances with Scheduler plugin enabled
Discovery Timeline
- 2026-03-21 - CVE-2026-33237 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33237
Vulnerability Analysis
This SSRF vulnerability stems from inconsistent input validation across the AVideo codebase. While other AVideo endpoints were recently patched for similar SSRF issues (referenced as GHSA-9x67-f2v7-63rw and GHSA-h39h-7cvg-q7j6), the Scheduler plugin's callback URL handling was overlooked. The url_get_contents() function is called with the admin-supplied callbackURL parameter, which undergoes only basic URL format validation via isValidURL() rather than the more restrictive isSSRFSafeURL() check that enforces protections against internal network access.
The vulnerability requires administrative privileges to exploit, as only authenticated administrators can configure scheduled tasks with arbitrary callback URLs. However, in cloud environments, this can lead to significant security impact through access to cloud metadata services, potentially exposing IAM credentials, instance configuration data, and other sensitive information.
Root Cause
The root cause is missing SSRF protection in the Scheduler plugin's callback URL validation. The isSSRFSafeURL() function, which blocks requests to RFC-1918 private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback addresses (127.0.0.0/8), and cloud metadata endpoints (169.254.169.254), was not applied to the Scheduler's callbackURL parameter despite being implemented for other endpoints.
Attack Vector
The attack is network-based and requires high privileges (admin access). An authenticated administrator can configure a scheduled task with a malicious callbackURL pointing to internal resources such as:
- Cloud metadata services (e.g., http://169.254.169.254/latest/meta-data/)
- Internal APIs on private network ranges
- Local services via loopback addresses
- Other internal infrastructure not exposed to the internet
The following patch shows the security fix applied in version 26.0:
if (!isValidURL($callBackURL)) {
return false;
}
+ if (!isSSRFSafeURL($callBackURL)) {
+ _error_log("Scheduler::run SSRF protection blocked callbackURL: " . $callBackURL);
+ return false;
+ }
if (empty($_executeSchelude[$callBackURL])) {
$callBackURL = addQueryStringParameter($callBackURL, 'token', getToken(60));
$callBackURL = addQueryStringParameter($callBackURL, 'scheduler_commands_id', $scheduler_commands_id);
Source: GitHub Commit Update
Detection Methods for CVE-2026-33237
Indicators of Compromise
- Scheduled tasks configured with callback URLs pointing to internal IP ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x)
- Callback URLs targeting cloud metadata endpoints (169.254.169.254)
- Unusual outbound requests from the AVideo server to internal network resources
- Log entries in error logs containing blocked callback URLs (after patching)
Detection Strategies
- Monitor AVideo admin activity logs for creation or modification of scheduled tasks with internal network URLs
- Implement network egress filtering to detect and alert on requests to metadata endpoints from web application servers
- Review database entries in the scheduler_commands table for suspicious callbackURL values
- Deploy web application firewall (WAF) rules to detect SSRF patterns in request parameters
Monitoring Recommendations
- Enable verbose logging for the Scheduler plugin to capture all callback URL requests
- Configure alerts for any outbound connections from the AVideo server to RFC-1918 private address ranges
- Monitor for unexpected access to cloud provider metadata services from application servers
- Audit administrative actions related to scheduled task configuration
How to Mitigate CVE-2026-33237
Immediate Actions Required
- Upgrade WWBN AVideo to version 26.0 or later immediately
- Review all existing scheduled tasks for suspicious callback URLs targeting internal networks
- Implement network-level egress filtering to block requests to cloud metadata endpoints and internal networks from the web server
- Audit administrative access and remove unnecessary admin privileges
Patch Information
WWBN has released version 26.0 which addresses this vulnerability by adding the isSSRFSafeURL() validation check to the Scheduler plugin's callback URL processing. The fix is available in commit df926e500580c2a1e3c70351f0c30f4e15c0fd83. For detailed information, refer to the GitHub Security Advisory.
Workarounds
- Restrict administrative access to trusted users only until the patch can be applied
- Implement network segmentation to prevent the AVideo server from reaching internal services
- Deploy instance metadata service protection (IMDSv2 on AWS) to require session tokens for metadata access
- Use a firewall or proxy to block outbound requests from the AVideo server to private IP ranges and metadata endpoints
# Example iptables rules to block SSRF targets from the AVideo server
# Block cloud metadata endpoint
iptables -A OUTPUT -d 169.254.169.254 -j DROP
# Block RFC-1918 private ranges (adjust based on legitimate internal needs)
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
# Block loopback from web application context
iptables -A OUTPUT -d 127.0.0.0/8 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
