CVE-2026-33761 Overview
CVE-2026-33761 is an information disclosure vulnerability affecting WWBN AVideo, an open source video platform. The vulnerability exists in the Scheduler plugin where three list.json.php endpoints lack proper authentication checks. While other endpoints in the same plugin directories (add.json.php, delete.json.php, index.php) properly require User::isAdmin() authorization, these listing endpoints can be accessed without any authentication.
Critical Impact
An unauthenticated attacker can retrieve all scheduled tasks including internal callback URLs and parameters, admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests.
Affected Products
- WWBN AVideo versions up to and including 26.0
- AVideo Scheduler Plugin (Email_to_user, Emails_messages, and related list.json.php endpoints)
- Self-hosted AVideo installations with the Scheduler plugin enabled
Discovery Timeline
- 2026-03-27 - CVE-2026-33761 published to NVD
- 2026-03-31 - Last updated in NVD database
Technical Details for CVE-2026-33761
Vulnerability Analysis
This vulnerability represents a classic broken access control flaw (CWE-200: Exposure of Sensitive Information) in the AVideo Scheduler plugin. The root issue stems from inconsistent authentication enforcement across plugin endpoints. While administrative operations like adding and deleting scheduled tasks properly verify that the requesting user has admin privileges via User::isAdmin(), the corresponding list endpoints that retrieve sensitive data were left unprotected.
The vulnerable endpoints expose three categories of sensitive information: scheduled task configurations containing internal callback URLs and operational parameters, email message content composed by administrators, and user-to-email mapping data that reveals the relationship between platform users and their email addresses. This information leakage could enable attackers to understand internal system architecture, discover additional attack surfaces, or conduct targeted social engineering attacks.
Root Cause
The vulnerability originates from missing authorization checks in the list.json.php files within the Scheduler plugin's View directories. Specifically, the files at plugin/Scheduler/View/Email_to_user/list.json.php and plugin/Scheduler/View/Emails_messages/list.json.php directly query and return all database records without first validating that the requesting user has administrative privileges.
Attack Vector
Exploitation requires no authentication and can be performed remotely over the network. An attacker simply needs to send HTTP GET requests to the vulnerable endpoints:
- /plugin/Scheduler/View/Email_to_user/list.json.php
- /plugin/Scheduler/View/Emails_messages/list.json.php
The endpoints respond with JSON data containing all stored records, including sensitive scheduling information, email content, and user mappings.
// Vulnerable code pattern (before patch)
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Email_to_user.php';
header('Content-Type: application/json');
// Missing: Authentication check
$rows = Email_to_user::getAll();
$total = Email_to_user::getTotal();
The fix adds the required User::isAdmin() check:
// Patched code (commit 83390ab1fa8dca2de3f8fa76116a126428405431)
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Email_to_user.php';
header('Content-Type: application/json');
if (!User::isAdmin()) {
http_response_code(403);
die(json_encode(['error' => true, 'msg' => 'Not authorized']));
}
$rows = Email_to_user::getAll();
$total = Email_to_user::getTotal();
Source: GitHub Commit
Detection Methods for CVE-2026-33761
Indicators of Compromise
- Unexpected HTTP 200 responses to unauthenticated requests against /plugin/Scheduler/View/*/list.json.php endpoints
- Anomalous access patterns to Scheduler plugin JSON endpoints from external or unauthorized IP addresses
- Web server logs showing bulk requests to list.json.php files without associated session cookies or authentication headers
- Evidence of data exfiltration attempts in outbound network traffic following access to vulnerable endpoints
Detection Strategies
- Configure web application firewall (WAF) rules to monitor and alert on unauthenticated access attempts to the Scheduler plugin's JSON endpoints
- Implement server-side access logging for all requests to /plugin/Scheduler/View/ paths and correlate with authentication status
- Deploy intrusion detection signatures that identify JSON responses containing sensitive fields like callback_url, email_body, or user mapping data in response to unauthenticated requests
- Review existing access logs for historical exploitation attempts targeting the vulnerable endpoints
Monitoring Recommendations
- Enable detailed request logging for the AVideo application with authentication context to identify unauthorized access patterns
- Set up real-time alerting for successful JSON responses (HTTP 200) to Scheduler plugin list endpoints without valid admin session tokens
- Monitor for reconnaissance activity including sequential enumeration of plugin endpoints from single source addresses
- Correlate Scheduler endpoint access with user authentication events to identify discrepancies
How to Mitigate CVE-2026-33761
Immediate Actions Required
- Update WWBN AVideo to a version containing commit 83390ab1fa8dca2de3f8fa76116a126428405431 or later
- If immediate patching is not possible, restrict access to the Scheduler plugin endpoints at the web server or reverse proxy level
- Audit access logs for evidence of prior exploitation and assess potential data exposure
- Review and rotate any sensitive callback URLs or API keys that may have been exposed through the vulnerable endpoints
Patch Information
WWBN has released a security patch in commit 83390ab1fa8dca2de3f8fa76116a126428405431 that adds the missing User::isAdmin() authorization checks to all three vulnerable list.json.php endpoints. The patch ensures consistency with the existing security model where only authenticated administrators can access Scheduler plugin functionality. For detailed patch information, refer to the GitHub Security Advisory GHSA-j724-5c6c-68g5.
Workarounds
- Implement web server access controls to restrict access to /plugin/Scheduler/View/*/list.json.php endpoints to authenticated administrators only
- Disable the Scheduler plugin entirely if the scheduling functionality is not required for your deployment
- Deploy a reverse proxy rule that blocks unauthenticated requests to the vulnerable endpoint paths
- Apply network-level segmentation to limit access to the AVideo administrative interface to trusted networks
# Apache configuration example - block unauthenticated access to vulnerable endpoints
<LocationMatch "^/plugin/Scheduler/View/.*/list\.json\.php$">
# Require authentication or restrict to trusted IPs
Require ip 10.0.0.0/8 192.168.0.0/16
</LocationMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
