CVE-2026-33716: Critical Authentication Bypass in WWBN AVideo Live Stream Control
Vulnerability ID: CVE-2026-33716
CVSS Score: 9.4
Published: 2026-03-25
WWBN AVideo versions 26.0 and prior are vulnerable to an unauthenticated remote authentication bypass (CWE-287) in the live stream control endpoint. Unvalidated user input permits an attacker to override internal verification requests, leading to arbitrary execution of RTMP stream management commands.
TL;DR
A critical flaw in AVideo's control.json.php allows unauthenticated remote attackers to bypass token verification by supplying a malicious streamerURL, granting administrative control over live streams.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-287
- Attack Vector: Network
- CVSS Score: 9.4
- EPSS Score: 0.00082
- Impact: High Integrity, High Availability, Low Confidentiality
- Exploit Status: poc
- KEV Status: Not Listed
Affected Systems
- WWBN AVideo <= 26.0
-
AVideo: <= 26.0 (Fixed in:
> 26.0)
Code Analysis
Commit: 388fcd5
Removal of streamerURL override and addition of sanitization for the name parameter to prevent path traversal.
Mitigation Strategies
- Upgrade WWBN AVideo to version > 26.0.
- Implement IP-based access control restrictions on the plugin/Live/standAloneFiles/ directory.
- Deploy WAF rules to block requests containing the streamerURL parameter targeting the control.json.php endpoint.
Remediation Steps:
- Backup the current AVideo installation and database.
- Download the latest stable release of WWBN AVideo or manually apply commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128.
- Verify the integrity of the updated files, specifically plugin/Live/standAloneFiles/control.json.php.
- Restart the web server and NGINX RTMP services.
- Monitor access logs for unauthorized attempts to access control.json.php.
References
Read the full report for CVE-2026-33716 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)