CVE-2026-33512 Overview
CVE-2026-33512 is an authentication bypass vulnerability in WWBN AVideo, an open source video platform. In versions up to and including 26.0, the API plugin exposes a decryptString action without any authentication requirements. This allows any user—authenticated or not—to submit ciphertext and receive the corresponding plaintext. Since ciphertext is issued publicly through endpoints such as view/url2Embed.json.php, attackers can recover protected tokens and metadata without authorization.
Critical Impact
Unauthenticated attackers can decrypt protected tokens and sensitive metadata, potentially leading to unauthorized access to video content, user sessions, and platform administration.
Affected Products
- WWBN AVideo versions up to and including 26.0
- All deployments exposing the API plugin's decryptString endpoint
- Instances using encrypted tokens via view/url2Embed.json.php
Discovery Timeline
- 2026-03-23 - CVE-2026-33512 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33512
Vulnerability Analysis
This vulnerability represents a classic authentication bypass flaw (CWE-287) where a sensitive cryptographic operation is exposed without access controls. The decryptString API action was designed to decrypt internal tokens for legitimate platform operations, but the endpoint lacks authentication checks. This transforms the API into an oracle that attackers can abuse to decrypt any ciphertext encrypted with the platform's key.
The network-based attack vector requires no privileges or user interaction, making exploitation straightforward for remote attackers. The primary impact is confidentiality loss, as attackers can recover sensitive information from encrypted tokens that were intended to protect access to video content, embed URLs, and user session data.
Root Cause
The root cause is missing authentication enforcement on the decryptString action within the API plugin. The developers implemented the decryption functionality for internal use but failed to restrict access to authenticated users or internal processes. This oversight allows any remote user to invoke the decryption function directly, bypassing the intended security model that relies on ciphertext confidentiality.
Attack Vector
The attack exploits the publicly accessible decryptString API endpoint. Attackers can collect encrypted tokens from public endpoints such as view/url2Embed.json.php, which issues ciphertext to users for embedding videos. These encrypted tokens can then be submitted to the vulnerable decryptString action, which returns the plaintext without verifying the requester's identity.
The attack flow typically involves: (1) Harvesting encrypted tokens from public embed endpoints, (2) Submitting collected ciphertext to the unauthenticated decryptString API, and (3) Receiving decrypted tokens containing protected metadata, video access tokens, or session information.
Detection Methods for CVE-2026-33512
Indicators of Compromise
- Unusual volume of requests to the decryptString API endpoint from external IP addresses
- Sequential or bulk decryption requests indicating automated token harvesting
- Access to decryption API from IP addresses not associated with legitimate platform users
- Correlation between requests to view/url2Embed.json.php and subsequent decryptString calls from the same source
Detection Strategies
- Implement logging for all calls to the decryptString action and monitor for unauthenticated access attempts
- Deploy web application firewall rules to detect and alert on direct API access to sensitive endpoints
- Analyze server logs for patterns of token collection followed by decryption requests
- Set up alerting for high-frequency requests to cryptographic API endpoints
Monitoring Recommendations
- Enable detailed access logging for the AVideo API plugin endpoints
- Monitor authentication failures and unauthenticated access to sensitive API actions
- Track the ratio of embed token requests to decryption requests for anomaly detection
- Review access patterns to identify potential token harvesting campaigns
How to Mitigate CVE-2026-33512
Immediate Actions Required
- Update WWBN AVideo to a version containing commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 or later
- If patching is not immediately possible, restrict network access to the API plugin endpoints
- Review logs for evidence of prior exploitation and rotate any potentially compromised tokens
- Audit all API endpoints for similar authentication gaps
Patch Information
WWBN has released a patch in commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13. Organizations should apply this patch immediately to address the vulnerability. For detailed patch information, refer to the GitHub Commit Details and the GitHub Security Advisory.
Workarounds
- Block external access to the decryptString API endpoint using firewall rules or web server configuration
- Implement authentication requirements at the reverse proxy or load balancer level for API endpoints
- Disable the API plugin entirely if decryption functionality is not required for your deployment
- Use network segmentation to limit API access to trusted internal systems only
# Example: Block access to decryptString endpoint in nginx
location ~ /plugin/API/.*decryptString {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
