CVE-2026-33716 Overview
CVE-2026-33716 is an authentication bypass vulnerability in WWBN AVideo, an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at plugin/Live/standAloneFiles/control.json.php accepts a user-supplied streamerURL parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns {"error": false}, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence.
Critical Impact
This vulnerability allows complete authentication bypass for live stream management, enabling attackers to disrupt streaming services, manipulate recordings, and gain unauthorized control over the video platform without any credentials.
Affected Products
- WWBN AVideo versions up to and including 26.0
- All AVideo deployments using the Live plugin with standalone control endpoints
- Self-hosted AVideo instances with publicly accessible stream control endpoints
Discovery Timeline
- 2026-03-23 - CVE-2026-33716 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33716
Vulnerability Analysis
The vulnerability exists in the live stream control functionality of WWBN AVideo. The affected endpoint plugin/Live/standAloneFiles/control.json.php is designed to manage live streaming operations including publisher management, recording controls, and stream status queries. The authentication mechanism relies on token verification by sending requests to a configured streamer URL.
The fundamental flaw is that the endpoint blindly accepts a user-supplied streamerURL parameter from the HTTP request, allowing attackers to override the legitimate verification server. By pointing this parameter to an attacker-controlled server that responds with a valid authentication response ({"error": false}), the entire authentication check becomes meaningless.
This vulnerability enables unauthenticated users to perform privileged operations on any live stream, including disconnecting active broadcasters, manipulating recording states, and enumerating stream information across the platform.
Root Cause
The root cause is improper input validation combined with a flawed authentication architecture. The code directly accepts and uses the streamerURL parameter from user input ($_REQUEST['streamerURL']) without any validation or restriction. This allows external control over the authentication verification endpoint, effectively giving attackers the ability to authenticate against their own server.
The authentication mechanism violated a fundamental security principle: authentication verification endpoints should never be user-controllable. By allowing the verification destination to be modified by the client, the server-side authentication becomes entirely client-controlled.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Setting up a malicious server that responds to any token verification request with {"error": false}
- Sending requests to the vulnerable endpoint with their malicious server URL in the streamerURL parameter
- The AVideo server sends authentication verification to the attacker's server instead of the legitimate streamer
- The attacker's server confirms the fake authentication
- The attacker gains full control over live stream operations
The patch removes the ability for users to supply the streamerURL parameter:
error_log("control.json.php: Config file NOT found");
}
-if (!empty($_REQUEST['streamerURL'])) {
- $streamerURL = $_REQUEST['streamerURL'];
-}
+// SECURITY: User-supplied streamerURL is intentionally NOT accepted.
+// Allowing it would enable authentication bypass and SSRF via file_get_contents
+// on an attacker-controlled host. streamerURL MUST come from the configuration
+// file or be hard-coded in this file above.
error_log("Control.json.php start ".json_encode($_REQUEST));
Source: GitHub Commit 388fcd57
Detection Methods for CVE-2026-33716
Indicators of Compromise
- HTTP requests to /plugin/Live/standAloneFiles/control.json.php containing streamerURL parameters pointing to external domains
- Unusual outbound connections from the AVideo server to unknown external hosts during stream control operations
- Unexpected stream disconnections or recording state changes without corresponding authenticated user sessions
Detection Strategies
- Monitor web server access logs for requests containing the streamerURL parameter in the query string or POST body
- Implement network monitoring to detect outbound HTTP requests from the AVideo server to non-whitelisted destinations
- Review authentication logs for stream control actions that lack corresponding valid user sessions
- Deploy web application firewall rules to block requests containing the streamerURL parameter
Monitoring Recommendations
- Enable detailed logging for the plugin/Live/standAloneFiles/control.json.php endpoint
- Set up alerts for any external URL patterns in request parameters to live stream control endpoints
- Monitor for sudden changes in live stream states that don't correlate with administrator actions
- Track outbound network connections from the web server to identify potential authentication redirect attempts
How to Mitigate CVE-2026-33716
Immediate Actions Required
- Update WWBN AVideo to a version that includes commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 or later
- If immediate patching is not possible, restrict access to the /plugin/Live/standAloneFiles/ directory at the web server level
- Review server logs for evidence of exploitation attempts targeting the streamerURL parameter
- Audit recent stream control activities for unauthorized modifications
Patch Information
The vulnerability has been addressed in commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128. This patch removes the ability for users to supply the streamerURL parameter, ensuring the verification endpoint can only be configured through the server-side configuration file. Users should update their AVideo installation to include this commit. For more details, refer to the GitHub Security Advisory GHSA-9hv9-gvwm-95f2 and the associated patch commit.
Workarounds
- Use web server configuration to deny requests containing the streamerURL parameter to the control endpoint
- Place the /plugin/Live/standAloneFiles/ directory behind IP-based access restrictions
- Implement a reverse proxy or WAF rule to filter out requests with user-supplied streamerURL values
- Disable the Live plugin entirely if live streaming functionality is not required
# Apache .htaccess example to block streamerURL parameter
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} streamerURL [NC]
RewriteRule ^plugin/Live/standAloneFiles/control\.json\.php$ - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
