DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33650: CVE-2026-33650: Privilege Escalation via Incorrect Authorization in WWBN AVideo

#security #cve #cybersecurity

CVE-2026-33650: Privilege Escalation via Incorrect Authorization in WWBN AVideo

Vulnerability ID: CVE-2026-33650
CVSS Score: 7.6
Published: 2026-03-25

WWBN AVideo versions up to and including 26.0 contain an incorrect authorization vulnerability (CWE-863). Users with the 'Videos Moderator' permission can exploit inconsistent authorization boundaries to transfer video ownership and delete arbitrary videos, resulting in privilege escalation.

TL;DR

A privilege escalation flaw in WWBN AVideo <= 26.0 allows 'Videos Moderator' users to bypass authorization checks, transfer arbitrary video ownership to themselves, and subsequently delete videos they do not own.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-863
  • Attack Vector: Network
  • CVSS Score: 7.6
  • EPSS Score: 0.00028
  • Impact: High Integrity, Low Availability
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • WWBN AVideo <= 26.0
  • AVideo: <= 26.0 (Fixed in: Commit 838e16818c793779406ecbf34ebaeba9830e33f8)

Code Analysis

Commit: 838e168

Fix incorrect authorization bounds in videoAddNew.json.php

- if (!Video::canEdit($_POST['id']) && !Permissions::canModerateVideos()) {
+ if (!Video::canEdit($_POST['id'])) {
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade WWBN AVideo to the latest patched version.
  • Audit active user roles and remove the 'Videos Moderator' permission from non-essential accounts.
  • Monitor access logs for suspicious sequential requests to videoAddNew.json.php and videoDelete.json.php.

Remediation Steps:

  1. 1. Backup the AVideo database and web directory.
  2. 2. Apply commit 838e16818c793779406ecbf34ebaeba9830e33f8 to the application codebase or upgrade to a release > 26.0.
  3. 3. Review the 'users_id' field in the video metadata database table for unauthorized ownership transfers.
  4. 4. Restart the web server application to clear any cached PHP processes.

References

Read the full report for CVE-2026-33650 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)