CVE-2026-33039 is a Server-Side Request Forgery (SSRF) vulnerability identified in the open-source video platform WWBN AVideo, specifically affecting versions 25.0 and earlier. The vulnerability exists in the plugin/LiveLinks/proxy.php endpoint, which is designed to fetch user-supplied URLs. The endpoint uses the isSSRFSafeURL() function to validate that the initial URL does not point to internal or private network addresses, aiming to prevent SSRF attacks. However, this validation only applies to the initial URL and does not extend to subsequent HTTP redirects. When the initial URL responds with an HTTP redirect via the Location header, the redirected URL is fetched using the fakeBrowser() function without undergoing re-validation. This oversight allows an attacker to craft a URL that first passes the initial check but then redirects to sensitive internal resources such as cloud metadata services or RFC1918 private IP addresses. Exploiting this vulnerability can enable attackers to access internal network services that should be inaccessible externally, potentially leaking sensitive information like cloud instance credentials or internal APIs. The issue is resolved in version 26.0 of AVideo by ensuring proper validation of redirect targets. The vulnerability has a CVSS 3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating it is remotely exploitable without authentication or user interaction, causes a complete confidentiality breach, but does not affect integrity or availability. No known exploits are currently reported in the wild.

The primary impact of CVE-2026-33039 is the unauthorized disclosure of sensitive internal information due to SSRF exploitation. Attackers can leverage this vulnerability to access internal services that are normally protected behind firewalls, such as cloud metadata endpoints that may contain credentials, tokens, or configuration data. This can lead to further compromise of cloud infrastructure or internal networks. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely by unauthenticated attackers. Organizations running vulnerable versions of AVideo risk exposure of confidential data, which can facilitate lateral movement, privilege escalation, or data exfiltration. The scope of impact is significant for any deployment exposing the vulnerable endpoint to untrusted users or the internet. However, the vulnerability does not directly affect system integrity or availability, limiting the impact to confidentiality breaches. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially given the public disclosure and high CVSS score.

1. Upgrade WWBN AVideo to version 26.0 or later, where the vulnerability is fixed by proper validation of redirect URLs. 2. Implement network segmentation and firewall rules to restrict the AVideo server's outbound access to internal services, especially cloud metadata endpoints and RFC1918 address ranges. 3. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious SSRF patterns or unusual redirect chains targeting internal IPs. 4. Monitor application logs for unusual proxy.php requests that include URLs causing redirects to internal addresses. 5. If immediate upgrade is not possible, consider disabling or restricting access to the vulnerable proxy.php endpoint to trusted users only. 6. Conduct regular security assessments and penetration testing focusing on SSRF vectors in web applications. 7. Educate developers and administrators about SSRF risks and secure URL validation techniques, including validating all redirect targets, not just initial URLs.