CVE-2026-33297 Overview
WWBN AVideo is an open source video platform that contains an authorization bypass vulnerability in the CustomizeUser plugin. Prior to version 26.0, the setPassword.json.php endpoint allows administrators to set a channel password for any user. However, due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero before being stored. This means that regardless of the intended password, the stored channel password becomes 0, which any visitor can trivially guess to bypass channel-level access control.
Critical Impact
Attackers can bypass channel-level access controls by entering 0 as the password, gaining unauthorized access to protected video content and channels.
Affected Products
- WWBN AVideo versions prior to 26.0
- AVideo CustomizeUser plugin (setPassword.json.php endpoint)
Discovery Timeline
- 2026-03-23 - CVE CVE-2026-33297 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33297
Vulnerability Analysis
This vulnerability represents a classic authorization bypass flaw (CWE-639) caused by improper type handling in PHP. The setPassword.json.php endpoint in the CustomizeUser plugin fails to properly validate and process password input before storage. When an administrator sets a channel password containing alphabetic or special characters, PHP's type juggling behavior coerces the string value to an integer. Since non-numeric strings in PHP evaluate to 0 when cast to integers, all such passwords are stored as the value 0.
The impact of this vulnerability allows any unauthenticated visitor to gain access to password-protected channels by simply entering 0 as the password. This effectively renders the channel password protection mechanism useless for any channel where an administrator attempted to set a meaningful password.
Root Cause
The root cause is improper type handling in PHP where password input is inadvertently cast to an integer type before storage. PHP's loose type comparison and automatic type coercion converts any non-numeric string (e.g., "MySecurePassword123!") to the integer 0. This occurs because PHP interprets strings beginning with non-numeric characters as having a numeric value of zero when forced into an integer context.
Attack Vector
The attack is network-based and requires no special privileges to exploit. An attacker can target any password-protected channel on a vulnerable AVideo installation by:
- Identifying a password-protected channel on the target AVideo platform
- Entering 0 as the channel password
- Gaining immediate access to the protected content
The vulnerability requires that an administrator has previously set a password containing non-numeric characters on a channel. Since most meaningful passwords include letters and special characters, the majority of password-protected channels on vulnerable installations are likely affected.
The setPassword.json.php endpoint processes the password parameter without proper validation. When a password string like "SecurePass123" is submitted, the code path that stores this value performs an implicit integer conversion, resulting in the value 0 being saved to the database instead of the intended password hash or string.
Detection Methods for CVE-2026-33297
Indicators of Compromise
- Review authentication logs for repeated access to password-protected channels with the password value 0
- Monitor database records for channel passwords stored as integer 0 values
- Check web server access logs for unusual patterns of access to previously restricted channel content
- Audit CustomizeUser plugin logs for password modification events
Detection Strategies
- Implement application-layer monitoring to detect password bypass attempts using numeric-only passwords
- Create alerting rules for successful channel access following multiple failed authentication attempts
- Deploy web application firewall (WAF) rules to log and alert on suspicious parameter patterns to setPassword.json.php
- Enable detailed logging on the CustomizeUser plugin endpoints
Monitoring Recommendations
- Monitor all administrative actions on the setPassword.json.php endpoint
- Set up alerts for access to protected channels by users who have not previously authenticated
- Review channel access patterns for anomalies indicating unauthorized viewing of protected content
How to Mitigate CVE-2026-33297
Immediate Actions Required
- Upgrade WWBN AVideo to version 26.0 or later immediately
- Review all existing channel passwords and reset any that may have been affected by this vulnerability
- Audit access logs to identify potential unauthorized access to protected channels
- Consider temporarily disabling password protection on sensitive channels until the patch is applied
Patch Information
WWBN has released version 26.0 which contains a patch for this issue. The fix is available in GitHub Commit 7a6a94631a0a18c313894395e6eb6703cca4abd0. Additional details are available in the GitHub Security Advisory GHSA-6547-8hrg-c55m.
Organizations should prioritize upgrading to version 26.0 to ensure proper password handling in the CustomizeUser plugin.
Workarounds
- Disable the CustomizeUser plugin if channel password functionality is not required
- Implement additional access controls at the web server or network level for sensitive channels
- Use alternative authentication mechanisms outside of the built-in channel password system
- Restrict administrative access to the setPassword.json.php endpoint via server configuration
# Example: Restrict access to vulnerable endpoint via Apache configuration
<Location "/plugin/CustomizeUser/setPassword.json.php">
Require ip 192.168.1.0/24
Require all denied
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
