CVE-2026-33719 Overview
WWBN AVideo is an open source video platform that contains an authentication bypass vulnerability in its CDN plugin. In versions up to and including 26.0, the CDN plugin endpoints plugin/CDN/status.json.php and plugin/CDN/disable.json.php use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured (the default state), the key validation check is completely bypassed, allowing any unauthenticated attacker to modify the full CDN configuration — including CDN URLs, storage credentials, and the authentication key itself — via mass-assignment through the par request parameter.
Critical Impact
Unauthenticated attackers can take full control of CDN configuration, potentially redirecting video content delivery to malicious servers, stealing storage credentials, or locking out legitimate administrators by modifying the authentication key.
Affected Products
- WWBN AVideo versions up to and including 26.0
- Installations with the CDN plugin enabled but unconfigured authentication key (default state)
- Self-hosted AVideo deployments using default configurations
Discovery Timeline
- 2026-03-23 - CVE-2026-33719 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33719
Vulnerability Analysis
This vulnerability represents an authentication bypass flaw (CWE-306: Missing Authentication for Critical Function) in the WWBN AVideo CDN plugin. The core issue stems from a flawed authentication design where the plugin's key-based authentication mechanism fails to properly validate requests when the authentication key is left at its default empty string value.
When the CDN plugin is enabled without a configured key, the conditional check if (!empty($obj->key)) evaluates to false, causing the entire key validation block to be skipped. This creates a situation where any unauthenticated attacker can access the CDN configuration endpoints without providing valid credentials.
The vulnerability is further compounded by a mass-assignment issue where the $_REQUEST['par'] parameter allows arbitrary object property assignment, giving attackers the ability to modify any CDN configuration setting including storage credentials and the authentication key itself.
Root Cause
The root cause is a logic flaw in the authentication implementation where the key validation only occurs if a non-empty key has been configured. Combined with an empty default key value, this creates a complete authentication bypass in the default installation state. The vulnerable code pattern checks if (!empty($obj->key)) before validating the provided key, meaning that when no key is configured, the validation is entirely skipped rather than denying access.
Attack Vector
The attack can be executed remotely over the network without any authentication or user interaction. An attacker simply needs to send HTTP requests to the vulnerable CDN plugin endpoints (plugin/CDN/status.json.php or plugin/CDN/disable.json.php) with a key parameter and malicious configuration values in the par array parameter. Since no authentication is required when the key is unconfigured, the attacker can modify CDN URLs, storage credentials, and even set a new authentication key to lock out administrators.
// Vulnerable code pattern from plugin/CDN/disable.json.php (before patch)
// Source: https://github.com/WWBN/AVideo/commit/adeff0a31ba04a56f411eef256139fd7ed7d4310
-if (empty($_REQUEST['key'])) {
- $resp->msg = 'Key is empty';
- die(json_encode($resp));
-}
-
-if (!empty($obj->key)) {
- //check the key
- if ($obj->key !== $_REQUEST['key']) {
- $resp->msg = 'Key Does not match';
- die(json_encode($resp));
- }
-}
-$obj->key = $_REQUEST['key'];
-foreach ($_REQUEST['par'] as $key => $value) {
- $obj->{$key} = $value;
Source: GitHub Commit adeff0a31ba04a56f411eef256139fd7ed7d4310
Detection Methods for CVE-2026-33719
Indicators of Compromise
- Unexpected HTTP requests to /plugin/CDN/status.json.php or /plugin/CDN/disable.json.php endpoints from external IP addresses
- Modified CDN configuration settings without authorized administrator action
- Unusual changes to CDN URLs pointing to unknown or suspicious domains
- Modified storage credentials or authentication keys in CDN plugin settings
Detection Strategies
- Monitor web server access logs for requests to CDN plugin endpoints containing par parameters with configuration modification attempts
- Implement web application firewall (WAF) rules to detect and block requests with mass-assignment patterns targeting the CDN plugin
- Set up file integrity monitoring for AVideo configuration files to detect unauthorized changes
- Review CDN plugin configuration regularly for unexpected modifications
Monitoring Recommendations
- Enable detailed logging for all CDN plugin endpoint access
- Configure alerting for any changes to CDN configuration settings outside of maintenance windows
- Monitor outbound traffic patterns for connections to unexpected CDN or storage endpoints
- Implement baseline monitoring for CDN configuration and alert on any deviations
How to Mitigate CVE-2026-33719
Immediate Actions Required
- Update WWBN AVideo to a version containing commit adeff0a31ba04a56f411eef256139fd7ed7d4310 or later
- If unable to update immediately, configure a strong, unique authentication key for the CDN plugin
- Review current CDN configuration for any unauthorized modifications
- Audit access logs for evidence of exploitation attempts
Patch Information
WWBN has released a security patch in commit adeff0a31ba04a56f411eef256139fd7ed7d4310 that improves key validation and response handling in the CDN disable and status endpoints. The patch ensures that authentication is properly enforced regardless of whether a key has been previously configured. Users should update to the latest version of AVideo that includes this fix.
For more information, see the GitHub Security Advisory GHSA-r64r-883r-wcwh and the patch commit details.
Workarounds
- Configure a strong, random authentication key for the CDN plugin immediately to prevent exploitation
- Disable the CDN plugin entirely if it is not actively being used
- Restrict access to CDN plugin endpoints at the web server or firewall level to trusted IP addresses only
- Implement a reverse proxy or WAF to filter requests to sensitive plugin endpoints
# Configuration example
# Restrict access to CDN plugin endpoints in Apache .htaccess
<FilesMatch "(status|disable)\.json\.php$">
<If "%{REQUEST_URI} =~ m#/plugin/CDN/#">
Require ip 10.0.0.0/8 192.168.0.0/16
</If>
</FilesMatch>
# Or in Nginx, add to server block:
# location ~* /plugin/CDN/(status|disable)\.json\.php$ {
# allow 10.0.0.0/8;
# allow 192.168.0.0/16;
# deny all;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
