CVE-2026-33297 is a medium-severity authorization bypass vulnerability found in the open-source WWBN AVideo platform, specifically in versions before 26.0. The vulnerability stems from a logic error in the CustomizeUser plugin's setPassword.json.php endpoint, which is responsible for setting channel passwords. When an administrator sets a channel password containing any non-numeric characters, the system silently coerces this password to the integer zero before storing it. This coercion occurs due to improper input handling and type conversion in the password processing logic. As a result, regardless of the intended password, the stored password becomes '0'. Since '0' is a trivial and easily guessable password, any visitor can bypass channel-level access controls by simply entering '0' as the password. This flaw effectively nullifies the intended access restrictions on video channels. Exploitation requires administrative privileges to invoke the vulnerable endpoint but does not require any user interaction or authentication beyond that. The vulnerability impacts confidentiality by allowing unauthorized users to access protected video channels. The issue was addressed and patched in WWBN AVideo version 26.0. No known exploits have been reported in the wild as of the publication date. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond admin, no user interaction, and low impact on confidentiality and integrity, with no impact on availability.

The primary impact of CVE-2026-33297 is the compromise of channel-level confidentiality within the WWBN AVideo platform. Unauthorized users can gain access to video channels protected by passwords, potentially exposing sensitive or private video content. This can lead to data leakage, privacy violations, and reputational damage for organizations relying on AVideo to securely distribute video content. Since the vulnerability requires administrative privileges to set the password, the risk is higher in environments where administrators may be compromised or malicious. Attackers who gain admin access can exploit this flaw to weaken channel security, enabling broader unauthorized access. The vulnerability does not affect system availability or integrity directly but undermines access control mechanisms. Organizations using affected versions may face compliance issues if sensitive content is exposed. The ease of guessing the password '0' makes exploitation trivial once the flawed password is set. Although no exploits are known in the wild, the vulnerability presents a clear risk to confidentiality in affected deployments.

To mitigate CVE-2026-33297, organizations should immediately upgrade WWBN AVideo installations to version 26.0 or later, where the vulnerability is patched. Administrators should audit all channel passwords set prior to the upgrade, especially those containing non-numeric characters, and reset them to strong, complex passwords that do not rely on numeric coercion. Implement input validation and sanitization on password fields to prevent unintended type coercion. Restrict administrative access to trusted personnel and enforce strong authentication mechanisms to reduce the risk of malicious password changes. Monitor logs for suspicious password changes or access attempts using the password '0'. Consider implementing multi-factor authentication for administrative accounts to further protect against unauthorized changes. Regularly review and update access control policies for video channels. If upgrading immediately is not possible, temporarily disable the CustomizeUser plugin or restrict access to the setPassword.json.php endpoint to trusted IPs or networks. Finally, educate administrators about the vulnerability and the importance of secure password management.