CVE-2026-33492 is a session fixation vulnerability affecting WWBN AVideo, an open-source video platform, in versions up to and including 26.0. The root cause is that the _session_start() function accepts session IDs passed via the PHPSESSID GET parameter without proper validation or regeneration, allowing an attacker to specify an arbitrary session ID. Normally, session fixation attacks are mitigated by regenerating session IDs upon authentication; however, in AVideo, session regeneration is explicitly disabled in the User::login() function. Furthermore, a session regeneration bypass exists for specific blacklisted endpoints when requests originate from the same domain, further weakening session management. This flaw enables an attacker to fix a victim's session ID before login, and once the victim authenticates, the attacker can hijack the authenticated session by using the known session ID. The vulnerability impacts confidentiality and integrity by allowing unauthorized access to user accounts and potentially sensitive video content. The CVSS 3.1 score of 7.3 reflects network attack vector, low complexity, requiring privileges and user interaction, with high confidentiality and integrity impact but no availability impact. The vulnerability was reserved on March 20, 2026, and published on March 23, 2026. A patch is available in commit 5647a94d79bf69a972a86653fe02144079948785, which presumably enforces proper session ID regeneration and disallows arbitrary session ID acceptance via GET parameters.

The session fixation vulnerability allows attackers to hijack authenticated user sessions by forcing victims to use attacker-controlled session IDs. This can lead to unauthorized access to user accounts, including potentially sensitive video content and user data hosted on the AVideo platform. For organizations relying on AVideo for video streaming or content delivery, this can result in data breaches, privacy violations, and loss of user trust. Attackers may impersonate legitimate users, perform actions on their behalf, or access restricted content. Since the vulnerability affects session management, it compromises both confidentiality and integrity of user sessions. Although no direct availability impact is noted, the reputational damage and potential regulatory consequences from data exposure can be significant. The attack requires some user interaction (victim visiting a crafted URL) and privileges (low), but the ease of exploitation is relatively low complexity, making it a credible threat especially in environments with many users or public-facing deployments.

Organizations should immediately upgrade WWBN AVideo to a version that includes the patch from commit 5647a94d79bf69a972a86653fe02144079948785 or later. If upgrading is not immediately possible, implement the following mitigations: 1) Disable acceptance of session IDs via GET parameters entirely to prevent attackers from setting arbitrary session IDs. 2) Enforce session ID regeneration upon every authentication event, including login, to prevent fixation. 3) Audit and remove any session regeneration bypasses, especially for blacklisted endpoints, ensuring consistent session management across all routes. 4) Implement secure cookie flags (HttpOnly, Secure, SameSite) to reduce session hijacking risks. 5) Monitor logs for suspicious session activity or repeated session ID reuse. 6) Educate users to avoid clicking on suspicious links that may contain session IDs. 7) Conduct regular security reviews of session management code to detect similar issues. These steps go beyond generic advice by focusing on session ID handling specifics and code-level fixes.