CVE-2026-33485 Overview
CVE-2026-33485 is a SQL Injection vulnerability affecting WWBN AVideo, an open source video platform. In versions up to and including 26.0, the RTMP on_publish callback at plugin/Live/on_publish.php is accessible without authentication. The $_POST['name'] parameter (stream key) is interpolated directly into SQL queries in two locations — LiveTransmitionHistory::getLatest() and LiveTransmition::keyExists() — without parameterized binding or escaping. An unauthenticated attacker can exploit time-based blind SQL injection to extract all database contents including user password hashes, email addresses, and other sensitive data.
Critical Impact
Unauthenticated attackers can extract sensitive database contents including user password hashes and email addresses through time-based blind SQL injection without any prior authentication.
Affected Products
- WWBN AVideo versions up to and including 26.0
- All installations with the Live plugin enabled exposing plugin/Live/on_publish.php
- RTMP streaming deployments using vulnerable stream key handling
Discovery Timeline
- 2026-03-23 - CVE-2026-33485 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33485
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) exists in the WWBN AVideo platform's live streaming functionality. The root issue stems from the RTMP on_publish callback endpoint at plugin/Live/on_publish.php being completely accessible without any form of authentication. When a user initiates a stream or interacts with this endpoint, the $_POST['name'] parameter containing the stream key is passed directly into database queries without any sanitization or parameterization.
The vulnerability manifests in two critical database interaction points: the LiveTransmitionHistory::getLatest() function and the LiveTransmition::keyExists() function. Both methods construct SQL queries by directly concatenating user-supplied input, creating a classic SQL injection vector.
Root Cause
The vulnerability originates from improper input handling in the PHP codebase. The stream key parameter received via POST request is directly interpolated into SQL query strings using string concatenation rather than prepared statements with parameterized placeholders. This coding practice violates secure development principles and allows malicious SQL payloads to be executed against the database.
Attack Vector
An unauthenticated remote attacker can target the publicly accessible plugin/Live/on_publish.php endpoint. By crafting a malicious stream key containing SQL injection payloads, the attacker can manipulate the database queries. The time-based blind SQL injection technique allows data extraction character by character through measuring response time differences, enabling complete exfiltration of database contents including user credentials and sensitive personal information.
return false;
}
$key = Live::cleanUpKey($key);
+ // Security: parameterized query to prevent SQL injection via stream key.
$sql = "SELECT u.*, lt.*, lt.password as live_password FROM " . static::getTableName() . " lt "
. " LEFT JOIN users u ON u.id = users_id AND u.status='a' "
- . " WHERE `key` = '$key' ORDER BY lt.modified DESC, lt.id DESC LIMIT 1";
+ . " WHERE `key` = ? ORDER BY lt.modified DESC, lt.id DESC LIMIT 1";
$_keyExistsSQL = $sql;
- $res = sqlDAL::readSql($sql);
+ $res = sqlDAL::readSql($sql, 's', [$key]);
$data = sqlDAL::fetchAssoc($res);
sqlDAL::close($res);
if ($res) {
Source: GitHub AVideo Commit
Detection Methods for CVE-2026-33485
Indicators of Compromise
- Unusual HTTP POST requests to plugin/Live/on_publish.php with malformed or excessively long stream key parameters
- Database query logs showing SQL syntax errors or time-based delay patterns such as SLEEP() or BENCHMARK() functions
- Abnormal response time variations from the AVideo application correlating with RTMP callback requests
- Evidence of data exfiltration attempts through sequential character extraction patterns in logs
Detection Strategies
- Implement web application firewall (WAF) rules to detect SQL injection patterns in POST parameters targeting /plugin/Live/on_publish.php
- Monitor application and database logs for SQL syntax anomalies and time-based injection signatures
- Deploy intrusion detection system (IDS) signatures to identify blind SQL injection attack patterns
- Configure rate limiting on the on_publish endpoint to slow down automated exploitation attempts
Monitoring Recommendations
- Enable verbose logging for the AVideo Live plugin to capture all incoming stream key parameters
- Set up alerting for database query execution times exceeding normal thresholds
- Implement database activity monitoring to detect unauthorized data access patterns
- Review web server access logs regularly for suspicious POST requests to the vulnerable endpoint
How to Mitigate CVE-2026-33485
Immediate Actions Required
- Update WWBN AVideo to a version containing commit af59eade82de645b20183cc3d74467a7eac76549 or later
- Restrict access to the plugin/Live/on_publish.php endpoint at the web server or firewall level if the Live plugin is not actively used
- Implement network-level access controls to limit which systems can reach the RTMP callback endpoint
- Rotate all user passwords and API keys as a precaution if exploitation is suspected
Patch Information
The vulnerability has been addressed in commit af59eade82de645b20183cc3d74467a7eac76549. This patch implements parameterized queries in both the LiveTransmition and LiveTransmitionHistory classes, replacing direct string interpolation with prepared statement placeholders. Users should update to a version containing this security fix. For detailed patch information, refer to the GitHub Security Advisory GHSA-8p58-35c3-ccxx.
Workarounds
- If immediate patching is not possible, restrict access to plugin/Live/on_publish.php via web server configuration or .htaccess rules
- Deploy a web application firewall with SQL injection protection rules enabled
- Disable the Live plugin entirely if RTMP streaming functionality is not required for your deployment
- Implement IP-based allowlisting to permit only trusted RTMP servers to access the callback endpoint
# Apache configuration to restrict access to vulnerable endpoint
<Location "/plugin/Live/on_publish.php">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
