CVE-2026-33690: IP Address Spoofing via Unsafe Header Processing in WWBN AVideo
Vulnerability ID: CVE-2026-33690
CVSS Score: 5.3
Published: 2026-03-25
WWBN AVideo versions up to and including 26.0 are vulnerable to IP address spoofing due to improper validation of HTTP headers. The application prioritizes user-controlled headers such as X-Forwarded-For over the actual TCP connection address, allowing attackers to bypass IP-based security controls.
TL;DR
AVideo <= 26.0 blindly trusts HTTP headers for client IP resolution, enabling IP spoofing and security control bypass.
Technical Details
- CWE ID: CWE-348
- Attack Vector: Network
- CVSS v3.1: 5.3
- EPSS Score: 0.00014
- Impact: Access Control Bypass
- Exploit Status: Unexploited
- KEV Status: Not Listed
Affected Systems
- WWBN AVideo
-
AVideo: <= 26.0 (Fixed in:
26.1)
Code Analysis
Commit: 1a1df6a
Refactor IP retrieval logic to implement a conditional trust model based on private IP ranges
Mitigation Strategies
- Update WWBN AVideo to a version released after March 23, 2026 (Version > 26.0).
- Configure reverse proxies (e.g., Nginx, HAProxy) to strip or override incoming X-Forwarded-For and X-Real-IP headers from external clients.
Remediation Steps:
- Verify the current AVideo version deployed in the environment.
- Apply the latest update from the WWBN repository ensuring commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c is included.
- Review reverse proxy configurations to enforce strict header stripping at the edge.
- Audit application logs for any historical IP address anomalies.
References
- GHSA-8p2x-5cpm-qrqw
- Fix Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c
- CVE-2026-33690 Record
- NVD Detail CVE-2026-33690
Read the full report for CVE-2026-33690 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)