CVE-2026-33719: Unauthenticated CDN Configuration Takeover in WWBN AVideo
Vulnerability ID: CVE-2026-33719
CVSS Score: 8.6
Published: 2026-03-25
WWBN AVideo versions up to 26.0 suffer from a critical missing authentication vulnerability in the CDN plugin. An unauthenticated attacker can exploit a logic flaw in default key handling combined with a mass-assignment vulnerability to take complete control of the CDN configuration.
TL;DR
Unauthenticated attackers can modify WWBN AVideo CDN configurations via a default empty key bypass and mass-assignment flaw, leading to traffic redirection and potential credential theft.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-306
- Attack Vector: Network
- CVSS Score: 8.6 (High)
- EPSS Score: 0.00123
- Impact: Configuration Takeover / Credential Exposure
- Exploit Status: PoC Available
- CISA KEV: Not Listed
Affected Systems
- WWBN AVideo <= 26.0 (CDN Plugin)
-
AVideo: <= 26.0 (Fixed in:
> 26.0)
Code Analysis
Commit: adeff0a
Fixed unauthenticated CDN configuration takeover by implementing hash_equals strict comparison and property whitelisting.
Mitigation Strategies
- Upgrade WWBN AVideo to a version greater than 26.0.
- Manually configure a strong, unique authentication key in the CDN plugin settings immediately upon activation.
- Implement network segmentation to restrict access to the
plugin/CDN/endpoints to trusted edge node IP addresses.
Remediation Steps:
- Verify the current version of the AVideo installation.
- Apply the official update providing the patch for commit adeff0a31ba04a56f411eef256139fd7ed7d4310.
- Access the CDN plugin configuration interface.
- Generate and input a cryptographically secure string into the authentication key field.
- Review the database for unauthorized changes to CDN URLs or storage credentials.
- Rotate S3, B2, or FTP credentials if unauthorized modifications are detected.
References
Read the full report for CVE-2026-33719 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)