CVE-2026-33037 is a high-severity vulnerability in WWBN AVideo, an open-source video platform, affecting versions 25.0 and earlier. The root cause is insecure default initialization of critical credentials in the official Docker deployment files, specifically the admin password set to the static string "password" and database credentials set to "avideo/avideo". During installation, if operators do not override the SYSTEM_ADMIN_PASSWORD environment variable, the admin account is seeded with this weak password. There are no compensating controls such as forced password changes on first login, password complexity enforcement, or detection of default passwords. The admin password is hashed with MD5, a cryptographically weak algorithm, making offline attacks easier if hashes are obtained. Full administrative access gained through this vulnerability allows attackers to expose sensitive user data, manipulate video content, and potentially execute arbitrary code remotely by uploading malicious files or managing plugins. The vulnerability primarily affects deployments using the official Docker images without customization, such as quick-start setups, demos, or automated CI/CD pipelines. The issue was addressed in version 26.0 by removing insecure defaults and enforcing better credential management. The CVSS 3.1 score of 8.1 reflects network attack vector, high impact on confidentiality, integrity, and availability, no privileges or user interaction required, but with a high attack complexity due to needing to exploit default credentials. No known exploits are reported in the wild yet.

Organizations running WWBN AVideo versions 25.0 and below with default Docker deployments are at high risk of complete administrative compromise. Attackers can gain full control over the platform, leading to exposure of sensitive user data, unauthorized content changes, and potential remote code execution. This can result in data breaches, reputational damage, service disruption, and potential lateral movement within the network if attackers leverage plugin management or file upload features. Automated or demo deployments that do not customize default credentials are especially vulnerable, increasing the likelihood of widespread exploitation in environments used for rapid testing or demonstration. The weak MD5 hashing of passwords further increases risk if credential hashes are leaked. The vulnerability undermines trust in the platform and can have severe consequences for organizations relying on AVideo for video hosting, streaming, or content delivery.

Operators must immediately upgrade to WWBN AVideo version 26.0 or later, where this vulnerability is fixed. Until upgrade, deployments should never use the default SYSTEM_ADMIN_PASSWORD; instead, set a strong, unique admin password via environment variables before installation. Implement mandatory password complexity policies and enforce password changes on first login through custom scripts or configuration overrides. Replace MD5 password hashing with a stronger algorithm such as bcrypt or Argon2 if possible by patching or custom builds. Change default database credentials from "avideo/avideo" to strong, unique credentials and restrict database access to trusted networks only. Audit existing deployments for default credentials and reset compromised accounts immediately. Disable or tightly control file upload and plugin management features to limit potential remote code execution vectors. Incorporate automated checks in CI/CD pipelines to detect insecure default credentials before deployment. Monitor logs and network traffic for suspicious administrative access attempts. Educate administrators about the risks of default credentials and enforce secure deployment practices.