CVE-2026-33502 Overview
CVE-2026-33502 is a Server-Side Request Forgery (SSRF) vulnerability affecting WWBN AVideo, an open source video platform. In versions up to and including 26.0, an unauthenticated SSRF vulnerability exists in plugin/Live/test.php that allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be exploited to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints.
Critical Impact
Unauthenticated attackers can leverage this SSRF vulnerability to access internal network resources, cloud instance metadata, and potentially exfiltrate sensitive information from protected services that are not directly accessible from the internet.
Affected Products
- WWBN AVideo versions up to and including 26.0
- AVideo installations with the Live plugin enabled
- Self-hosted AVideo instances with access to internal network resources
Discovery Timeline
- 2026-03-23 - CVE-2026-33502 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33502
Vulnerability Analysis
This vulnerability is classified under CWE-918 (Server-Side Request Forgery), a weakness that occurs when an application can be manipulated to send requests to arbitrary destinations. In the case of CVE-2026-33502, the vulnerable endpoint in plugin/Live/test.php accepts user-supplied URLs and processes them server-side without adequate validation.
The SSRF vulnerability requires no authentication to exploit, meaning any remote attacker with network access to the AVideo application can trigger the flaw. The server processes attacker-controlled URLs and makes outbound HTTP requests on behalf of the attacker, effectively acting as a proxy to access resources that would otherwise be unreachable.
Root Cause
The root cause of this vulnerability lies in insufficient input validation within the plugin/Live/test.php file. The application fails to properly sanitize or restrict the URLs that users can supply, allowing attackers to specify arbitrary destinations including:
- Internal IP addresses (127.0.0.1, localhost, 10.x.x.x, 192.168.x.x)
- Cloud provider metadata endpoints (169.254.169.254)
- Other internal services accessible from the server
Attack Vector
The vulnerability is exploited via a network-based attack vector. An unauthenticated attacker submits a crafted request to the vulnerable endpoint plugin/Live/test.php with a malicious URL parameter. The AVideo server then makes an HTTP request to the attacker-specified destination and may return the response content.
This attack pattern enables several malicious activities:
- Internal Network Scanning: Attackers can enumerate internal services and their availability by observing response times and errors.
- Cloud Metadata Theft: On cloud-hosted instances, attackers can request the metadata endpoint to retrieve instance credentials, API keys, and configuration data.
- Accessing Internal APIs: Protected internal services that trust requests from the server's IP can be accessed and manipulated.
The vulnerability does not require any user interaction, and while it primarily impacts confidentiality, it can also enable limited integrity violations through unauthorized access to internal write operations.
Detection Methods for CVE-2026-33502
Indicators of Compromise
- Unusual outbound HTTP requests from the AVideo server to internal IP ranges (127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Requests to cloud metadata endpoints (169.254.169.254) originating from the web application
- High volume of requests to plugin/Live/test.php with varying URL parameters
- Web server logs showing requests containing internal hostnames or IP addresses in query parameters
Detection Strategies
- Monitor web application firewall (WAF) logs for requests to plugin/Live/test.php containing suspicious URL patterns
- Implement egress filtering to detect and block requests from web servers to cloud metadata endpoints
- Deploy network intrusion detection rules to identify SSRF patterns targeting internal resources
- Analyze AVideo application logs for anomalous request patterns to the Live plugin
Monitoring Recommendations
- Enable detailed logging on the AVideo server to capture all requests to plugin endpoints
- Configure alerts for outbound connections from the AVideo server to RFC 1918 private address ranges
- Monitor DNS queries from the web server for resolution of internal hostnames
- Implement real-time security monitoring using SentinelOne Singularity to detect exploitation attempts
How to Mitigate CVE-2026-33502
Immediate Actions Required
- Update WWBN AVideo to a version containing commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 or later
- Restrict access to plugin/Live/test.php if the Live plugin functionality is not required
- Implement network segmentation to limit the AVideo server's ability to reach sensitive internal resources
- Deploy WAF rules to block requests to the vulnerable endpoint containing internal IP addresses or metadata URLs
Patch Information
WWBN has released a security fix in commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3. Organizations running affected versions should apply this patch immediately. For detailed patch information, refer to the GitHub Commit Update and the GitHub Security Advisory GHSA-3fpm-8rjr-v5mc.
Workarounds
- Block access to plugin/Live/test.php at the web server or reverse proxy level if the endpoint is not required for production functionality
- Implement network-level controls to prevent the AVideo server from initiating connections to internal networks or cloud metadata services
- Use a web application firewall to filter requests containing internal IP addresses, localhost references, or metadata endpoint URLs
- Consider running AVideo in an isolated network segment with restricted outbound connectivity
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
