CVE-2026-33501 Overview
WWBN AVideo, an open source video platform, contains a missing authorization vulnerability in versions up to and including 26.0. The endpoint plugin/Permissions/View/Users_groups_permissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. This represents a significant oversight as all sibling endpoints in the same directory (add.json.php, delete.json.php, index.php) properly require User::isAdmin() checks.
Critical Impact
Unauthenticated attackers can enumerate the complete permission structure of an AVideo installation, revealing which user groups have access to specific plugins and functionality, potentially enabling further targeted attacks.
Affected Products
- WWBN AVideo versions up to and including 26.0
- All installations with the Permissions plugin enabled
Discovery Timeline
- 2026-03-23 - CVE CVE-2026-33501 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33501
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization). The affected endpoint list.json.php within the Permissions plugin fails to implement any authentication or authorization verification before returning sensitive permission mapping data. This is particularly notable because the vulnerability represents an inconsistency within the codebase—neighboring endpoints in the same directory all implement proper User::isAdmin() authorization checks.
The information disclosed through this vulnerability includes the complete permission matrix, which maps user groups to their respective plugin access levels. While the direct data exposure is limited to permission configurations (reflected in the confidentiality-only impact), this information can be valuable for reconnaissance purposes and planning subsequent attacks against the platform.
Root Cause
The root cause is a developer oversight where the list.json.php endpoint was not protected with the same authorization controls applied to other endpoints in the Permissions plugin directory. The inconsistent application of the User::isAdmin() check across sibling files indicates the missing authorization was not intentional.
Attack Vector
The attack requires no authentication and can be executed remotely over the network. An attacker simply needs to send an HTTP request to the vulnerable endpoint to retrieve the complete permission matrix. The attack has low complexity and requires no user interaction.
To exploit this vulnerability, an attacker would:
- Identify an AVideo installation (versions ≤ 26.0)
- Send an unauthenticated HTTP GET request to the plugin/Permissions/View/Users_groups_permissions/list.json.php endpoint
- Parse the JSON response containing the complete user group to plugin permission mappings
The vulnerable endpoint returns permission data without requiring any session token, API key, or administrative credentials. This enables attackers to map out the authorization structure of the target installation for reconnaissance purposes.
Detection Methods for CVE-2026-33501
Indicators of Compromise
- Unusual or repeated HTTP requests to plugin/Permissions/View/Users_groups_permissions/list.json.php from unauthenticated sessions
- Access to the list.json.php endpoint from IP addresses not associated with administrative users
- Requests to multiple permission-related endpoints in rapid succession, indicating enumeration activity
Detection Strategies
- Monitor web server access logs for requests to plugin/Permissions/View/Users_groups_permissions/list.json.php without valid authentication cookies
- Implement web application firewall (WAF) rules to alert on access attempts to sensitive plugin endpoints from unauthenticated sources
- Deploy intrusion detection signatures that flag reconnaissance patterns targeting AVideo permission endpoints
Monitoring Recommendations
- Enable detailed access logging for the AVideo Permissions plugin directory
- Configure alerting for any access to list.json.php from external IP addresses
- Review access patterns to permission-related endpoints during regular security audits
How to Mitigate CVE-2026-33501
Immediate Actions Required
- Update WWBN AVideo to a version containing the security patches (commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516)
- Restrict access to the Permissions plugin directory at the web server level if immediate patching is not possible
- Review access logs for evidence of prior exploitation attempts
Patch Information
WWBN has released patches for this vulnerability in two commits:
- GitHub Commit dc3c8257 - First patch commit
- GitHub Commit b583acdc - Second patch commit
For complete details, refer to the GitHub Security Advisory GHSA-96qp-8cmq-jvq8.
Workarounds
- Implement web server access controls (e.g., Apache .htaccess or Nginx location blocks) to restrict access to the plugin/Permissions/View/Users_groups_permissions/ directory to authenticated administrators only
- Deploy a reverse proxy or WAF rule to block unauthenticated requests to the vulnerable endpoint
- If the Permissions plugin is not required, consider disabling it until a patch can be applied
# Nginx configuration to restrict access to vulnerable endpoint
location ~ /plugin/Permissions/View/Users_groups_permissions/list\.json\.php {
# Deny all access - requires authentication at application level
deny all;
# Or restrict to admin IP addresses
# allow 192.168.1.0/24;
# deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
