CVE-2026-33478 Overview
CVE-2026-33478 is a critical vulnerability chain in WWBN AVideo, an open source video platform. Multiple security flaws in the CloneSite plugin can be chained together to allow a completely unauthenticated attacker to achieve remote code execution. The attack chain involves information disclosure, weak password storage, and OS command injection that collectively enable full system compromise.
Critical Impact
Unauthenticated attackers can chain multiple vulnerabilities to gain complete remote code execution on affected AVideo installations, potentially leading to full server compromise and data exfiltration.
Affected Products
- WWBN AVideo versions up to and including 26.0
- AVideo CloneSite plugin (all versions prior to patch commit c85d076375fab095a14170df7ddb27058134d38c)
- Self-hosted AVideo installations with CloneSite functionality enabled
Discovery Timeline
- 2026-03-23 - CVE-2026-33478 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33478
Vulnerability Analysis
This vulnerability represents a sophisticated attack chain that exploits three distinct weaknesses in the AVideo CloneSite plugin. The attack begins with unauthenticated access to sensitive configuration data, progresses through credential compromise due to weak password hashing, and culminates in arbitrary command execution on the underlying server.
The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), though the full chain incorporates authentication bypass and information disclosure components. The attack requires no user interaction and can be executed remotely over the network, making it particularly dangerous for internet-facing AVideo installations.
Root Cause
The root cause stems from multiple compounding security failures in the CloneSite plugin architecture:
Unauthenticated API Exposure: The clones.json.php endpoint exposes clone secret keys without requiring any authentication, allowing attackers to obtain sensitive credentials.
Weak Password Storage: Admin password hashes are stored using MD5, a cryptographically weak algorithm that is trivially crackable using modern hardware and rainbow tables.
Command Injection: The cloneClient.json.php endpoint improperly sanitizes user input when constructing rsync commands, allowing OS command injection when authenticated as an administrator.
Attack Vector
The attack vector follows a three-stage exploitation chain:
Stage 1 - Information Disclosure: An unauthenticated attacker accesses the clones.json.php endpoint, which returns clone secret keys without authentication. These keys can then be used to trigger a full database dump via the cloneServer.json.php endpoint.
Stage 2 - Credential Compromise: The database dump contains admin password hashes stored as MD5. Given MD5's known weaknesses, attackers can crack these hashes using readily available tools and precomputed rainbow tables to obtain plaintext admin credentials.
Stage 3 - Command Injection: With admin access obtained, the attacker exploits an OS command injection vulnerability in the rsync command construction within cloneClient.json.php. By injecting shell metacharacters into user-controlled parameters, arbitrary system commands can be executed with the privileges of the web server process.
Detection Methods for CVE-2026-33478
Indicators of Compromise
- Unusual access patterns to /plugin/CloneSite/clones.json.php or /plugin/CloneSite/cloneServer.json.php endpoints
- Database dump requests originating from external IP addresses
- Suspicious rsync command execution with shell metacharacters in process arguments
- Web server spawning unexpected child processes such as reverse shells or cryptocurrency miners
Detection Strategies
- Monitor web server access logs for requests to CloneSite plugin endpoints from unauthenticated sessions
- Implement alerting on failed authentication attempts followed by successful admin logins from the same IP
- Deploy file integrity monitoring on AVideo installation directories to detect unauthorized modifications
- Use runtime application self-protection (RASP) to detect and block command injection attempts
Monitoring Recommendations
- Enable verbose logging for the CloneSite plugin and forward logs to a SIEM for correlation analysis
- Implement network-level monitoring for outbound connections from the web server to detect reverse shell callbacks
- Monitor for MD5 hash cracking attempts against extracted credentials in threat intelligence feeds
- Deploy behavioral analysis to identify process trees inconsistent with normal AVideo operation
How to Mitigate CVE-2026-33478
Immediate Actions Required
- Update AVideo to a version containing commit c85d076375fab095a14170df7ddb27058134d38c or later
- Disable the CloneSite plugin if not actively required for your deployment
- Reset all admin passwords and migrate to a stronger hashing algorithm if available
- Review server logs for signs of prior exploitation and investigate any suspicious activity
Patch Information
WWBN has released a security patch in commit c85d076375fab095a14170df7ddb27058134d38c. Organizations running affected versions should apply this patch immediately. For detailed information about the fix, refer to the GitHub Security Advisory GHSA-687q-32c6-8x68 and the GitHub commit containing the patch.
Workarounds
- Restrict network access to CloneSite plugin endpoints using web server configuration or web application firewall rules
- Place AVideo instances behind an authenticated reverse proxy to prevent unauthenticated access
- Implement IP allowlisting for administrative functions and CloneSite functionality
- Consider temporarily disabling the CloneSite plugin entirely until patches can be applied
# Example Apache configuration to restrict CloneSite plugin access
<Directory "/var/www/avideo/plugin/CloneSite">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
