CVE-2026-33237 is a medium-severity SSRF vulnerability affecting WWBN AVideo, an open-source video platform, specifically in versions prior to 26.0. The issue resides in the Scheduler plugin's run() function within plugin/Scheduler/Scheduler.php, which invokes the url_get_contents() function on a callbackURL that administrators can configure. This callbackURL is only validated by isValidURL(), a function that checks URL format but does not restrict requests to safe destinations. Unlike other AVideo endpoints recently patched for SSRF, this callbackURL is not filtered by isSSRFSafeURL(), which blocks requests to RFC-1918 private IP ranges, loopback addresses, and cloud metadata endpoints. As a result, an administrator can configure scheduled tasks to make SSRF requests to internal network resources, such as cloud infrastructure metadata services or internal APIs that are otherwise inaccessible from the internet. This can lead to unauthorized disclosure of sensitive information, including cloud credentials or internal service data, and potentially allow attackers to pivot within the network. Exploitation requires administrative privileges on the AVideo platform but does not require user interaction. The vulnerability does not directly impact availability but can compromise confidentiality and integrity. The issue was publicly disclosed on March 20, 2026, with a CVSS 3.1 base score of 5.5, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact. The patch in version 26.0 addresses this by applying proper SSRF protections to the Scheduler callbackURL, likely by integrating isSSRFSafeURL() or equivalent filtering. No known exploits are reported in the wild as of the publication date.

The primary impact of CVE-2026-33237 is unauthorized access to internal network resources through SSRF, which can lead to significant confidentiality breaches. Attackers with administrative access to the AVideo platform can exploit this vulnerability to query cloud metadata services, potentially retrieving sensitive credentials and tokens that enable further compromise of cloud infrastructure. Internal APIs and services not exposed externally may also be accessed, increasing the risk of lateral movement and data exfiltration within an organization's network. Although the vulnerability requires administrative privileges, the ability to abuse scheduled tasks for SSRF can facilitate stealthy reconnaissance and exploitation. The integrity of internal systems may be partially affected if attackers leverage obtained credentials to modify configurations or data. Availability is not directly impacted. Organizations using affected versions of AVideo in cloud or hybrid environments are at particular risk, especially if internal network segmentation is weak. This vulnerability could be leveraged in targeted attacks against media platforms or organizations hosting video content, potentially impacting confidentiality of sensitive media or user data.

To mitigate CVE-2026-33237, organizations should upgrade WWBN AVideo to version 26.0 or later, which includes the official patch addressing this SSRF vulnerability. Until upgrading, administrators should audit all scheduled tasks configured in the Scheduler plugin to verify that callbackURLs do not point to internal IP ranges, loopback addresses, or cloud metadata endpoints. Implement network-level controls such as firewall rules or egress filtering to block AVideo servers from making HTTP requests to sensitive internal IP ranges and cloud metadata IP addresses (e.g., 169.254.169.254). Restrict administrative access to the AVideo platform to trusted personnel only, minimizing the risk of malicious configuration changes. Consider deploying web application firewalls (WAFs) with custom rules to detect and block SSRF attempts targeting internal resources. Additionally, monitor logs for unusual outbound HTTP requests from the AVideo server, especially those directed at internal or cloud metadata addresses. Employ network segmentation to isolate critical internal services from application servers. Finally, review and harden internal API authentication and authorization mechanisms to reduce the impact of potential SSRF exploitation.