CVE-2026-33492 Overview
WWBN AVideo, an open source video platform, contains a session fixation vulnerability in versions up to and including 26.0. The platform's _session_start() function accepts arbitrary session IDs via the PHPSESSID GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly disabled session regeneration in User::login(), this allows attackers to perform a classic session fixation attack where they can fix a victim's session ID before authentication and subsequently hijack the authenticated session.
Critical Impact
Successful exploitation allows attackers to hijack authenticated user sessions, potentially gaining unauthorized access to user accounts and sensitive video platform functionality.
Affected Products
- WWBN AVideo versions up to and including 26.0
- All installations using the vulnerable _session_start() function
- Deployments with default session handling configurations
Discovery Timeline
- 2026-03-23 - CVE-2026-33492 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33492
Vulnerability Analysis
This vulnerability represents a classic session fixation attack vector (CWE-384) in the AVideo platform's session management implementation. The core issue stems from the _session_start() function's acceptance of user-controlled session IDs through the PHPSESSID GET parameter without proper validation or regeneration.
The attack is enabled by two compounding factors: first, the platform accepts arbitrary session IDs from request parameters and activates them as the current PHP session. Second, session regeneration is explicitly disabled in the User::login() function, meaning that when a user authenticates, their session ID remains unchanged.
This creates an attack scenario where an adversary can craft a malicious link containing a pre-determined session ID. When the victim clicks the link and subsequently authenticates, the attacker—who already knows the session ID—can use that same session to access the victim's authenticated session.
Root Cause
The root cause is improper session management in the AVideo platform. The _session_start() function fails to validate or reject externally-provided session identifiers, and the authentication flow in User::login() does not regenerate the session ID upon successful login. This violates secure session management best practices which mandate session regeneration after privilege level changes such as authentication.
Attack Vector
The attack requires network access and user interaction. An attacker would craft a URL to the AVideo platform containing a predetermined PHPSESSID parameter. The attacker sends this link to a victim, who clicks it and logs in to their AVideo account. Since the session ID is not regenerated upon login, the attacker can then use the known session ID to access the victim's authenticated session and impersonate them on the platform.
The attack is facilitated by a bypass mechanism that affects specific blacklisted endpoints when requests originate from the same domain, further reducing the effectiveness of any partial mitigations that may have been in place.
Detection Methods for CVE-2026-33492
Indicators of Compromise
- Unusual session ID patterns in web server logs, particularly PHPSESSID values appearing in GET parameters
- Multiple authentications occurring with the same pre-existing session ID from different IP addresses
- Login events where the session ID remains unchanged before and after authentication
- Referrer headers showing external sources directing users to URLs with embedded session IDs
Detection Strategies
- Monitor web application logs for PHPSESSID parameters in URL query strings
- Implement alerting for sessions that authenticate without subsequent session ID regeneration
- Deploy web application firewall rules to detect and block URLs containing session ID parameters
- Analyze authentication logs for session reuse patterns across different client IP addresses
Monitoring Recommendations
- Enable verbose logging for session management functions in AVideo
- Configure SIEM rules to correlate session creation events with authentication events
- Monitor for anomalous session activity patterns indicative of session hijacking
- Track user sessions that span multiple geographic locations or client fingerprints
How to Mitigate CVE-2026-33492
Immediate Actions Required
- Update AVideo to a version containing commit 5647a94d79bf69a972a86653fe02144079948785 or later
- Review session management configurations and ensure session regeneration is enabled on authentication
- Audit access logs for potential exploitation attempts prior to patching
- Consider implementing additional session security controls such as binding sessions to client attributes
Patch Information
The vulnerability has been addressed in commit 5647a94d79bf69a972a86653fe02144079948785. Organizations running WWBN AVideo should update to the latest version containing this fix. Detailed information about the patch is available in the GitHub Commit and the GitHub Security Advisory.
Workarounds
- Configure web server or reverse proxy rules to strip or reject PHPSESSID parameters from incoming URLs
- Implement network-level controls to limit access to the AVideo platform from trusted sources only
- Enable strict cookie-only session handling at the PHP configuration level by setting session.use_only_cookies = 1
- Deploy a web application firewall to detect and block session fixation attack patterns
# PHP configuration to enforce cookie-only sessions
# Add to php.ini or .htaccess
php_value session.use_only_cookies 1
php_value session.use_trans_sid 0
php_value session.cookie_httponly 1
php_value session.cookie_secure 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
