CVE-2026-33759: Wwbn Avideo Auth Bypass Vulnerability

CVE-2026-33759 Overview

CVE-2026-33759 is an Insecure Direct Object Reference (IDOR) vulnerability affecting WWBN AVideo, an open source video platform. The vulnerability allows unauthenticated attackers to access the complete video contents of any playlist—including private playlists—by manipulating the playlists_id parameter in API requests to the objects/playlistsVideos.json.php endpoint.

While private playlists (including user-specific watch_later and favorite types) are properly hidden from listing endpoints via playlistsFromUser.json.php, the video contents endpoint lacks authentication and authorization checks, allowing direct enumeration and access through sequential integer IDs.

Critical Impact
Unauthenticated attackers can access private video content and user playlist data by enumerating sequential playlist IDs, potentially exposing sensitive or restricted video content across the entire platform.

Affected Products

WWBN AVideo versions up to and including 26.0
All AVideo installations using default configuration without external access controls
Self-hosted AVideo instances with publicly accessible API endpoints

Discovery Timeline

2026-03-27 - CVE CVE-2026-33759 published to NVD
2026-03-31 - Last updated in NVD database

Technical Details for CVE-2026-33759

Vulnerability Analysis

This vulnerability represents a classic Insecure Direct Object Reference (IDOR) flaw where the application fails to verify that the requesting user has permission to access the requested resource. The playlistsVideos.json.php endpoint directly processes the playlists_id parameter without performing any authentication or authorization validation before returning playlist contents.

The core issue stems from an incomplete access control implementation—while the developers properly restricted playlist discovery through listing endpoints, they overlooked protecting the actual content retrieval endpoint. This creates a security gap where an attacker who knows or can guess a playlist ID gains full access to its contents regardless of the playlist's privacy settings.

Root Cause

The root cause involves two distinct issues in the AVideo codebase:

Missing Authorization Check: The playlistsVideos.json.php endpoint directly calls PlayList::getVideosFromPlaylist() without first verifying whether the requesting user has permission to view the playlist.
Variable Naming Typo: A secondary issue in the playlist.php file involved a typo where $playListCanSe was used instead of $playListCanSee, causing the permission caching mechanism to malfunction and potentially bypass visibility checks even when they were invoked.

Attack Vector

The attack is trivially exploitable over the network without authentication. An attacker simply sends HTTP requests to the vulnerable endpoint while incrementing the playlists_id parameter to enumerate all playlists on the platform:

GET /objects/playlistsVideos.json.php?playlists_id=1
GET /objects/playlistsVideos.json.php?playlists_id=2
GET /objects/playlistsVideos.json.php?playlists_id=3
...

Since playlist IDs are sequential integers, automated enumeration is straightforward and can quickly expose all private playlists including users' watch history and favorites.

The security patch addresses this by adding proper authorization checks:

php

$_playlists_id = (int)$_REQUEST['playlists_id'];
if (!PlayList::canSee($_playlists_id, User::getId())) {
    http_response_code(403);
    die(json_encode(['error' => 'You do not have permission to view this playlist']));
}
$videos = PlayList::getVideosFromPlaylist($_playlists_id);

Source: GitHub Commit Reference

The patch also corrects the variable naming issue in the permission check function:

php

global $playListCanSee;
$index = "$playlist_id, $users_id";
if (isset($playListCanSee[$index])) {
    return $playListCanSee[$index];
}
$playListCanSee[$index] = true;
$obj = new PlayList($playlist_id);
$status = $obj->getStatus();
if ($status !== 'public' && $status !== 'unlisted' && $users_id !== $obj->getUsers_id()) {
    $playListCanSee[$index] = false;
}
return $playListCanSee[$index];

Source: GitHub Commit Reference

Detection Methods for CVE-2026-33759

Indicators of Compromise

Unusual volume of requests to /objects/playlistsVideos.json.php from single IP addresses
Sequential or enumeration patterns in playlists_id parameter values in web server logs
Requests to the playlist videos endpoint from unauthenticated sessions accessing non-public playlists
Automated scanning tools targeting API endpoints with incrementing integer parameters

Detection Strategies

Implement web application firewall (WAF) rules to detect and block rapid sequential parameter enumeration
Monitor access logs for patterns of requests iterating through numeric ID values
Deploy rate limiting on API endpoints to slow down enumeration attempts
Enable application-level logging to track unauthorized access attempts to private playlists

Monitoring Recommendations

Configure alerts for high-frequency requests to the playlistsVideos.json.php endpoint
Review web server access logs for requests returning playlist data without corresponding session authentication
Monitor for unusual data exfiltration patterns from the video platform
Implement anomaly detection for API access patterns that deviate from normal user behavior

How to Mitigate CVE-2026-33759

Immediate Actions Required

Update WWBN AVideo to a version containing commit bb716fbece656c9fe39784f11e4e822b5867f1ca or later
Review web server logs for evidence of prior exploitation or enumeration attempts
Audit all API endpoints for similar IDOR vulnerabilities
Consider implementing additional access controls at the web server or reverse proxy level

Patch Information

WWBN has released a security patch addressing this vulnerability. The fix is available in commit bb716fbece656c9fe39784f11e4e822b5867f1ca. Organizations running affected versions should apply this patch immediately. For detailed information, refer to the GitHub Security Advisory.

Workarounds

Implement authentication requirements at the web server level (nginx/Apache) for all /objects/ API endpoints
Deploy a Web Application Firewall (WAF) rule to block unauthenticated requests to sensitive API endpoints
Restrict access to the AVideo API to trusted IP ranges or authenticated users only
Use a reverse proxy to add authentication layers in front of vulnerable endpoints

bash

# Example nginx configuration to require authentication for API endpoints
location /objects/ {
    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/.htpasswd;
    
    # Rate limiting to prevent enumeration
    limit_req zone=api_limit burst=10 nodelay;
    
    proxy_pass http://avideo_backend;
}

CVE-2026-33759 Overview

Critical Impact
Unauthenticated attackers can access private video content and user playlist data by enumerating sequential playlist IDs, potentially exposing sensitive or restricted video content across the entire platform.

Affected Products

WWBN AVideo versions up to and including 26.0
All AVideo installations using default configuration without external access controls
Self-hosted AVideo instances with publicly accessible API endpoints

Discovery Timeline

2026-03-27 - CVE CVE-2026-33759 published to NVD
2026-03-31 - Last updated in NVD database

Technical Details for CVE-2026-33759

Vulnerability Analysis

Root Cause

The root cause involves two distinct issues in the AVideo codebase:

Missing Authorization Check: The playlistsVideos.json.php endpoint directly calls PlayList::getVideosFromPlaylist() without first verifying whether the requesting user has permission to view the playlist.
Variable Naming Typo: A secondary issue in the playlist.php file involved a typo where $playListCanSe was used instead of $playListCanSee, causing the permission caching mechanism to malfunction and potentially bypass visibility checks even when they were invoked.

Attack Vector

GET /objects/playlistsVideos.json.php?playlists_id=1
GET /objects/playlistsVideos.json.php?playlists_id=2
GET /objects/playlistsVideos.json.php?playlists_id=3
...

Since playlist IDs are sequential integers, automated enumeration is straightforward and can quickly expose all private playlists including users' watch history and favorites.

The security patch addresses this by adding proper authorization checks:

php

$_playlists_id = (int)$_REQUEST['playlists_id'];
if (!PlayList::canSee($_playlists_id, User::getId())) {
    http_response_code(403);
    die(json_encode(['error' => 'You do not have permission to view this playlist']));
}
$videos = PlayList::getVideosFromPlaylist($_playlists_id);

Source: GitHub Commit Reference

The patch also corrects the variable naming issue in the permission check function:

php

global $playListCanSee;
$index = "$playlist_id, $users_id";
if (isset($playListCanSee[$index])) {
    return $playListCanSee[$index];
}
$playListCanSee[$index] = true;
$obj = new PlayList($playlist_id);
$status = $obj->getStatus();
if ($status !== 'public' && $status !== 'unlisted' && $users_id !== $obj->getUsers_id()) {
    $playListCanSee[$index] = false;
}
return $playListCanSee[$index];

Source: GitHub Commit Reference

Detection Methods for CVE-2026-33759

Indicators of Compromise

Unusual volume of requests to /objects/playlistsVideos.json.php from single IP addresses
Sequential or enumeration patterns in playlists_id parameter values in web server logs
Requests to the playlist videos endpoint from unauthenticated sessions accessing non-public playlists
Automated scanning tools targeting API endpoints with incrementing integer parameters

Detection Strategies

Implement web application firewall (WAF) rules to detect and block rapid sequential parameter enumeration
Monitor access logs for patterns of requests iterating through numeric ID values
Deploy rate limiting on API endpoints to slow down enumeration attempts
Enable application-level logging to track unauthorized access attempts to private playlists

Monitoring Recommendations

Configure alerts for high-frequency requests to the playlistsVideos.json.php endpoint
Review web server access logs for requests returning playlist data without corresponding session authentication
Monitor for unusual data exfiltration patterns from the video platform
Implement anomaly detection for API access patterns that deviate from normal user behavior

How to Mitigate CVE-2026-33759

Immediate Actions Required

Update WWBN AVideo to a version containing commit bb716fbece656c9fe39784f11e4e822b5867f1ca or later
Review web server logs for evidence of prior exploitation or enumeration attempts
Audit all API endpoints for similar IDOR vulnerabilities
Consider implementing additional access controls at the web server or reverse proxy level

Patch Information

Workarounds

Implement authentication requirements at the web server level (nginx/Apache) for all /objects/ API endpoints
Deploy a Web Application Firewall (WAF) rule to block unauthenticated requests to sensitive API endpoints
Restrict access to the AVideo API to trusted IP ranges or authenticated users only
Use a reverse proxy to add authentication layers in front of vulnerable endpoints

bash

# Example nginx configuration to require authentication for API endpoints
location /objects/ {
    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/.htpasswd;
    
    # Rate limiting to prevent enumeration
    limit_req zone=api_limit burst=10 nodelay;
    
    proxy_pass http://avideo_backend;
}

CVE-2026-33759: Wwbn Avideo Auth Bypass Vulnerability

CVE-2026-33759 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33759

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33759

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33759

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-33759: Wwbn Avideo Auth Bypass Vulnerability

CVE-2026-33759 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33759

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33759

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33759

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform