CVE-2026-33037 is a vulnerability in WWBN AVideo, an open-source video platform, affecting versions 25.0 and earlier. The root cause is insecure default initialization of critical credentials in the official Docker deployment files (docker-compose.yml and env.example). Specifically, the admin password is hardcoded as 'password' and automatically assigned to the admin account during installation if the SYSTEM_ADMIN_PASSWORD environment variable is not overridden. There are no compensating controls such as forced password changes on first login, password complexity enforcement, or detection of default passwords. Additionally, the password is hashed using the weak MD5 algorithm, which is vulnerable to collision and preimage attacks. The database credentials also use insecure default values (username: avideo, password: avideo), further increasing the attack surface. Exploitation requires no authentication or user interaction and can lead to full administrative access, allowing attackers to expose user data, manipulate video content, and execute remote code through file uploads and plugin management features. This vulnerability is particularly dangerous in quick-start, demo, or automated deployments where operators may neglect to change default credentials. The vulnerability has been assigned a CVSS 3.1 score of 8.1 (high severity) and was fixed in version 26.0 of AVideo.

The impact of CVE-2026-33037 is significant for organizations deploying WWBN AVideo versions 25.0 and below, especially those using the official Docker deployment method without overriding default credentials. Successful exploitation results in complete administrative takeover, compromising confidentiality, integrity, and availability of the platform. Attackers can access sensitive user data, alter or delete video content, and potentially execute arbitrary code on the hosting server, leading to full system compromise. This can result in data breaches, service disruption, reputational damage, and potential lateral movement within the victim's network. The ease of exploitation (no authentication or user interaction required) and the widespread use of Docker for deployment increase the likelihood of successful attacks, particularly in environments where rapid deployment or demos are common. The insecure default database credentials further exacerbate the risk by enabling attackers to access backend data stores directly.

To mitigate this vulnerability, organizations should immediately upgrade to WWBN AVideo version 26.0 or later, where the issue is fixed. For existing deployments, it is critical to override the SYSTEM_ADMIN_PASSWORD environment variable during installation with a strong, unique password and ensure the database credentials are also changed from their defaults. Implement a policy to enforce password complexity and mandate password changes on first login to prevent default password usage. Additionally, replace the weak MD5 password hashing with a modern, secure hashing algorithm such as bcrypt or Argon2. Conduct thorough audits of all AVideo instances, especially those deployed via Docker, to detect and remediate any instances still using default credentials. Restrict access to the Docker deployment files and environment variables to trusted administrators only. Monitor logs and user activity for signs of unauthorized access or exploitation attempts. Consider implementing network segmentation and application-layer firewalls to limit exposure of the AVideo platform to untrusted networks.