CVE-2026-33649: GET-Based CSRF Privilege Escalation in WWBN AVideo
Vulnerability ID: CVE-2026-33649
CVSS Score: 8.1
Published: 2026-03-25
WWBN AVideo up to version 26.0 is vulnerable to a Cross-Site Request Forgery (CSRF) vulnerability in the permissions management endpoint. The vulnerability allows attackers to escalate privileges by forcing an authenticated administrator to execute state-changing GET requests without anti-CSRF token validation.
TL;DR
A critical CSRF flaw in AVideo allows unauthenticated attackers to grant arbitrary permissions to user groups by tricking an administrator into visiting a malicious page. The endpoint improperly accepts GET requests and lacks token validation, exacerbated by a global SameSite=None cookie policy.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-352
- Attack Vector: Network
- CVSS Score: 8.1
- EPSS Percentile: 2.59%
- Exploit Status: Proof of Concept Available
- CISA KEV: Not Listed
Affected Systems
- WWBN AVideo platform
- AVideo: <= 26.0
Exploit Details
- Security Advisory: HTML PoC demonstrating privilege escalation via img tags
Mitigation Strategies
- Manually patch the vulnerable PHP file to enforce POST and CSRF tokens
- Implement WAF rules to block GET requests to the permissions endpoint
- Avoid browsing other websites while logged into the AVideo management console
Remediation Steps:
- Locate the file at plugin/Permissions/setPermission.json.php
- Add a check to verify $_SERVER['REQUEST_METHOD'] === 'POST'
- Add a check calling isGlobalTokenValid()
- Change all $_REQUEST references to $_POST for parameter extraction
References
- GitHub Advisory GHSA-g8x9-7mgh-7cvj
- NVD Detail for CVE-2026-33649
- CVE Record CVE-2026-33649
- WWBN AVideo Source Code
Read the full report for CVE-2026-33649 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)