The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33649

CVE-2026-33649: Wwbn Avideo CSRF Vulnerability

CVE-2026-33649 is a CSRF flaw in Wwbn Avideo that allows attackers to escalate privileges by exploiting missing token validation. This post explains its impact, affected versions, and mitigation steps.

Published: March 27, 2026

CVE-2026-33649 Overview

WWBN AVideo is an open source video platform. A Cross-Site Request Forgery (CSRF) vulnerability exists in versions up to and including 26.0 that allows unauthenticated attackers to escalate privileges by exploiting the plugin/Permissions/setPermission.json.php endpoint. This endpoint accepts GET parameters for state-changing operations that modify user group permissions without CSRF token validation, and the application explicitly sets session.cookie_samesite=None on session cookies. An attacker can craft a malicious page with <img> tags that, when visited by an authenticated administrator, silently grants arbitrary permissions to the attacker's user group — effectively escalating the attacker to near-admin access.

Critical Impact

Unauthenticated attackers can achieve near-admin privilege escalation by tricking administrators into visiting malicious pages, potentially leading to full platform compromise.

Affected Products

  • WWBN AVideo versions up to and including 26.0
  • All AVideo installations using default session cookie configurations
  • Self-hosted AVideo instances without additional CSRF protections

Discovery Timeline

  • 2026-03-23 - CVE CVE-2026-33649 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-33649

Vulnerability Analysis

This vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The core issue stems from two security misconfigurations working in tandem: the permission management endpoint performs state-changing operations via HTTP GET requests without validating CSRF tokens, and the application explicitly configures session cookies with SameSite=None. This combination creates a perfect storm for CSRF exploitation.

When an authenticated administrator visits an attacker-controlled webpage, embedded elements such as <img> tags can silently trigger GET requests to the vulnerable endpoint. Since the browser automatically includes session cookies (due to SameSite=None), these requests execute with the administrator's privileges, allowing the attacker to modify user group permissions arbitrarily.

Root Cause

The root cause is the absence of CSRF protection mechanisms on the plugin/Permissions/setPermission.json.php endpoint combined with an insecure session cookie configuration. The endpoint performs sensitive state-changing operations (modifying user permissions) using GET parameters instead of POST requests with anti-CSRF tokens. Additionally, the explicit session.cookie_samesite=None setting on session cookies defeats the browser's built-in CSRF protections that modern SameSite cookie defaults would otherwise provide.

Attack Vector

The attack is network-based and requires user interaction — specifically, an administrator must be lured to visit an attacker-controlled page while authenticated to the AVideo platform. The attacker constructs a malicious webpage containing <img> elements with src attributes pointing to the vulnerable endpoint with crafted parameters. When the administrator's browser loads these images, it automatically sends authenticated requests to the AVideo server, executing the permission changes without the administrator's knowledge or consent.

The vulnerability mechanism involves crafting malicious HTML elements that trigger GET requests to the setPermission.json.php endpoint. When an administrator visits the attacker's page, the browser loads these elements and sends authenticated requests due to the SameSite=None cookie configuration. For detailed technical information, see the GitHub Security Advisory.

Detection Methods for CVE-2026-33649

Indicators of Compromise

  • Unexpected permission changes in user groups or accounts without corresponding administrative action logs
  • Access logs showing GET requests to plugin/Permissions/setPermission.json.php with referrer headers from external domains
  • User groups gaining elevated permissions without documented authorization changes
  • Administrative accounts reporting they did not make permission modifications that appear in audit logs

Detection Strategies

  • Monitor web server access logs for requests to the setPermission.json.php endpoint with external or suspicious referrer headers
  • Implement alerts for permission changes that occur without corresponding entries in administrative activity logs
  • Review session logs for administrative accounts making requests from unexpected IP addresses or with unusual timing patterns
  • Deploy Web Application Firewall (WAF) rules to detect and block cross-origin requests to sensitive administrative endpoints

Monitoring Recommendations

  • Enable comprehensive logging for all permission-related API endpoints in the AVideo platform
  • Configure SIEM rules to correlate permission changes with legitimate administrative sessions
  • Establish baseline metrics for normal permission modification patterns and alert on deviations
  • Monitor for new or modified user groups with elevated privileges that were not created through documented processes

How to Mitigate CVE-2026-33649

Immediate Actions Required

  • Restrict access to the AVideo administrative interface to trusted IP addresses or VPN-only access
  • Implement network-level controls to limit external access to the plugin/Permissions/ directory
  • Advise administrators to use dedicated browser profiles for AVideo administration that are not used for general browsing
  • Review and audit all recent permission changes to identify any unauthorized modifications

Patch Information

As of the publication date, no known patched versions are available. Organizations should monitor the WWBN AVideo GitHub Security Advisory for updates on patch availability. Consider implementing additional security controls until an official fix is released.

Workarounds

  • Deploy a reverse proxy or WAF rule to validate the Referer and Origin headers for requests to permission management endpoints
  • Configure web server rules to block GET requests to setPermission.json.php from external referrers
  • Implement network segmentation to restrict administrative endpoint access to internal networks only
  • Use browser security extensions that restrict cross-origin requests when accessing the AVideo admin panel
bash
# Example Apache .htaccess configuration to restrict access to permissions endpoint
<Files "setPermission.json.php">
    # Allow only same-origin requests
    SetEnvIf Referer "^https://your-avideo-domain\.com" allowed_referer
    Order Deny,Allow
    Deny from all
    Allow from env=allowed_referer
</Files>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeCSRF
  • Vendor/TechWwbn Avideo
  • SeverityHIGH
  • CVSS Score8.8
  • EPSS Probability0.02%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityHigh
  • AvailabilityHigh
  • CWE References
  • CWE-352
  • Vendor Resources
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2026-34394: Wwbn Avideo CSRF Vulnerability
  • CVE-2026-34611: Wwbn Avideo CSRF Vulnerability
  • CVE-2026-34395: Wwbn Avideo Information Disclosure Flaw
  • CVE-2026-34396: Wwbn Avideo XSS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English