CVE-2026-33292 Overview
WWBN AVideo is an open source video platform that contains a path traversal vulnerability in its HLS streaming endpoint. Prior to version 26.0, the view/hls.php endpoint is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two divergent code paths — one for authorization (which truncates at the first / segment) and one for file access (which preserves .. traversal sequences) — creating a split-oracle condition where authorization is checked against one video while content is served from another.
Critical Impact
Unauthenticated attackers can bypass authorization controls to access and stream private or paid video content, potentially leading to intellectual property theft and revenue loss for content creators.
Affected Products
- WWBN AVideo versions prior to 26.0
- All installations utilizing the HLS streaming functionality (view/hls.php)
- Self-hosted and cloud-deployed AVideo instances without the security patch
Discovery Timeline
- 2026-03-22 - CVE-2026-33292 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33292
Vulnerability Analysis
This vulnerability represents a classic path traversal (CWE-22) attack vector with a particularly dangerous twist: a split-oracle condition. The vulnerability exists because the application processes the same user-supplied input (videoDirectory parameter) through two separate code paths that handle the data differently.
The authorization code path truncates the parameter at the first / segment to determine which video resource to validate access against. However, the file access code path preserves directory traversal sequences such as .. intact. This discrepancy creates a scenario where an attacker can craft a request that passes authorization checks for one video (potentially a public video they have access to) while actually retrieving content from a completely different, protected video resource.
The attack requires no authentication and can be executed remotely over the network, making it particularly dangerous for platforms hosting premium or sensitive video content.
Root Cause
The root cause of this vulnerability is inconsistent input handling between the authorization and file access components. The authorization logic performs premature truncation of the path parameter at the first / character, while the file serving logic processes the full path including relative directory sequences. This creates a Time-of-Check to Time-of-Use (TOCTOU) variant where the checked resource differs from the accessed resource.
Proper input validation should have normalized and validated the path before any processing, ensuring that both authorization and file access operate on the same canonical path representation.
Attack Vector
The attack exploits the HLS streaming endpoint through a specially crafted HTTP GET request. An attacker can manipulate the videoDirectory parameter to include path traversal sequences that navigate outside the intended video directory structure.
The attack flow works as follows: the attacker constructs a URL where the videoDirectory parameter contains a legitimate video identifier followed by traversal sequences (like ../) that point to a protected video. The authorization code only validates the portion before the first /, passing the access check. The file serving code then resolves the full path including the traversal, serving content from the protected video.
This split-oracle behavior allows complete bypass of video access controls without requiring any authentication credentials.
Detection Methods for CVE-2026-33292
Indicators of Compromise
- Unusual access patterns to view/hls.php with videoDirectory parameters containing .. sequences
- HTTP requests with URL-encoded path traversal patterns such as %2e%2e%2f or %2e%2e/
- Access logs showing successful responses for HLS requests from unauthenticated sessions targeting premium content
- Increased bandwidth consumption on video assets without corresponding valid user sessions
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in the videoDirectory parameter
- Configure intrusion detection systems to alert on requests containing multiple consecutive ../ sequences
- Monitor application logs for anomalous access patterns to the /view/hls.php endpoint
- Deploy file integrity monitoring on video storage directories to detect unauthorized access patterns
Monitoring Recommendations
- Enable detailed request logging for all HLS streaming endpoints with full parameter capture
- Set up alerts for requests to view/hls.php containing encoded or decoded path traversal characters
- Monitor for spikes in video streaming bandwidth that don't correlate with authenticated user sessions
- Implement rate limiting on the HLS endpoint to slow down automated exploitation attempts
How to Mitigate CVE-2026-33292
Immediate Actions Required
- Upgrade WWBN AVideo to version 26.0 or later immediately
- Review access logs for evidence of exploitation attempts targeting the view/hls.php endpoint
- Implement WAF rules to block requests containing path traversal sequences as a temporary measure
- Audit access to premium and private video content for any unauthorized streaming activity
Patch Information
WWBN has released version 26.0 which contains a fix for this vulnerability. The patch ensures consistent path handling between the authorization and file access code paths, eliminating the split-oracle condition. The fix is available in commit bc034066281085af00e64b0d7b81d8a025a928c4. Administrators should update to version 26.0 or apply the patch as soon as possible.
For additional details, refer to the GitHub Security Advisory GHSA-pw4v-x838-w5pg and the GitHub commit containing the fix.
Workarounds
- Restrict access to view/hls.php at the web server level using allow-lists for known authenticated IP ranges
- Implement a reverse proxy rule that validates and normalizes all path parameters before forwarding to AVideo
- Temporarily disable public access to HLS streaming functionality until the patch can be applied
- Configure web server rules to reject any request to the HLS endpoint containing .. in any parameter
# Example nginx configuration to block path traversal attempts
location /view/hls.php {
if ($args ~* "\.\.") {
return 403;
}
# Normal proxy/fastcgi configuration continues here
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
