The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33688

CVE-2026-33688: WWBN AVideo Information Disclosure Flaw

CVE-2026-33688 is an information disclosure vulnerability in WWBN AVideo that allows attackers to enumerate valid usernames and account statuses without captcha validation. This article covers technical details, affected versions, and mitigation.

Published: March 27, 2026

CVE-2026-33688 Overview

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user enumeration vulnerability exists in the password recovery endpoint at objects/userRecoverPass.php. The endpoint performs user existence and account status checks before validating the captcha, allowing an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned — at scale and without solving any captcha — by observing three distinct JSON error responses.

Critical Impact

Attackers can enumerate valid usernames and account statuses without authentication, enabling targeted credential attacks, social engineering campaigns, and reconnaissance for further exploitation of the AVideo platform.

Affected Products

  • WWBN AVideo versions up to and including 26.0
  • AVideo installations with exposed password recovery functionality
  • Self-hosted AVideo instances accessible via network

Discovery Timeline

  • 2026-03-23 - CVE CVE-2026-33688 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-33688

Vulnerability Analysis

This vulnerability is classified as CWE-204 (Observable Response Discrepancy), a form of information disclosure that occurs when an application returns distinguishable responses that reveal sensitive information about user accounts. The flaw allows attackers to differentiate between valid and invalid usernames, as well as determine the status of valid accounts (active, inactive, or banned) through variations in the server's JSON error messages.

The vulnerability presents a significant reconnaissance risk because it bypasses the intended captcha protection mechanism. The captcha validation occurs after the user existence and status checks, creating a timing and logic flaw that attackers can exploit programmatically at scale.

Root Cause

The root cause lies in the improper sequencing of security controls within the objects/userRecoverPass.php endpoint. The application validates user existence and checks account status before enforcing the captcha requirement. This design flaw means the captcha protection — intended to prevent automated abuse — is ineffective against enumeration attacks because attackers receive informative error responses before the captcha is ever validated.

A secure implementation would validate the captcha first, before performing any database lookups or returning any information about user accounts. The fix in commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 addresses this by reordering the validation logic.

Attack Vector

The attack can be executed remotely over the network without any authentication. An attacker sends requests to the password recovery endpoint with various usernames and analyzes the JSON responses. The three distinct error messages allow attackers to build a database of valid usernames and their account statuses. This information can then be used for:

  • Credential stuffing attacks using the enumerated valid usernames
  • Targeted phishing campaigns against known active users
  • Identification of high-value accounts (administrators, moderators)
  • Understanding account lockout or ban patterns for timing attacks

The vulnerability mechanism works by sending POST requests to the objects/userRecoverPass.php endpoint with different username values. The server returns different JSON error messages depending on whether the username exists, and if it does, what the account status is. Since no captcha is required for these checks, an attacker can automate this process to test thousands of potential usernames rapidly. For technical details, see the GitHub Security Advisory GHSA-m99f-mmvg-3xmx.

Detection Methods for CVE-2026-33688

Indicators of Compromise

  • High volume of requests to objects/userRecoverPass.php from single IP addresses or IP ranges
  • Sequential or patterned username attempts in password recovery requests
  • Requests to the password recovery endpoint without subsequent captcha submissions
  • Unusual traffic patterns indicating automated enumeration scripts
  • Failed password recovery attempts followed by targeted login attempts using enumerated usernames

Detection Strategies

  • Implement rate limiting detection on the password recovery endpoint to flag excessive requests
  • Configure web application firewall (WAF) rules to detect enumeration patterns
  • Monitor HTTP response codes and response body patterns for the password recovery endpoint
  • Deploy anomaly detection for authentication-related endpoints to identify automated scanning
  • Correlate password recovery attempts with subsequent credential stuffing attacks

Monitoring Recommendations

  • Enable detailed logging for all requests to objects/userRecoverPass.php including request parameters
  • Set up alerts for request rates exceeding normal user behavior thresholds
  • Monitor for requests originating from known malicious IP ranges or Tor exit nodes
  • Track and alert on response time anomalies that may indicate enumeration scanning
  • Implement user behavior analytics to detect reconnaissance activities

How to Mitigate CVE-2026-33688

Immediate Actions Required

  • Apply the security patch by updating to a version containing commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157
  • Implement rate limiting on the password recovery endpoint as an interim measure
  • Configure WAF rules to block automated enumeration attempts
  • Review access logs for signs of prior exploitation
  • Consider temporarily restricting access to the password recovery functionality if immediate patching is not possible

Patch Information

WWBN has released a patch in commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 that addresses this vulnerability by reordering the validation logic to enforce captcha verification before performing user existence checks. Administrators should update their AVideo installations to the latest version that includes this commit. The patch is available via the GitHub commit.

Workarounds

  • Implement server-level rate limiting on the objects/userRecoverPass.php endpoint (e.g., 5 requests per minute per IP)
  • Configure a reverse proxy or WAF to return identical error messages for all password recovery failures
  • Restrict access to the password recovery endpoint by IP whitelist if feasible for your deployment
  • Add additional CAPTCHA or challenge-response mechanisms at the web server level before requests reach the application
  • Consider disabling the password recovery feature temporarily and using alternative account recovery methods
bash
# Example nginx rate limiting configuration for password recovery endpoint
limit_req_zone $binary_remote_addr zone=passrecovery:10m rate=5r/m;

location /objects/userRecoverPass.php {
    limit_req zone=passrecovery burst=2 nodelay;
    limit_req_status 429;
    # Forward to PHP-FPM or application server
    include fastcgi_params;
    fastcgi_pass unix:/var/run/php/php-fpm.sock;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechWwbn Avideo
  • SeverityMEDIUM
  • CVSS Score5.3
  • EPSS Probability0.04%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-204
  • Vendor Resources
  • GitHub Commit Update
  • GitHub Security Advisory GHSA-m99f-mmvg-3xmx
  • Related CVEs
  • CVE-2026-35449: WWBN AVideo Information Disclosure Flaw
  • CVE-2026-35452: WWBN AVideo Information Disclosure Flaw
  • CVE-2026-34395: Wwbn Avideo Information Disclosure Flaw
  • CVE-2026-33764: Wwbn Avideo Information Disclosure Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English