WWBN AVideo is an open-source video platform that, in versions up to and including 26.0, contains a missing authorization vulnerability identified as CVE-2026-33501. Specifically, the endpoint plugin/Permissions/View/Users_groups_permissions/list.json.php does not perform any authentication or authorization checks, allowing any unauthenticated user to access the complete permission matrix. This matrix details the mapping between user groups and their assigned plugin permissions, potentially exposing sensitive configuration information. Notably, other endpoints in the same directory such as add.json.php, delete.json.php, and index.php correctly require administrative privileges via User::isAdmin(), indicating this missing check is an oversight rather than a design choice. The vulnerability is classified under CWE-862 (Missing Authorization). The CVSS v3.1 base score is 5.3, reflecting that the attack vector is network-based, requires no privileges or user interaction, and impacts confidentiality only, with no effect on integrity or availability. Although no exploits have been observed in the wild, the exposure of permission data could aid attackers in reconnaissance or facilitate further attacks by revealing the internal permission structure. The vendor has committed patches in recent updates to address this issue.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive permission data, which can reveal how user groups are mapped to plugins within the AVideo platform. This information leakage can assist attackers in understanding the internal security model, identifying privileged groups, and potentially crafting targeted attacks or social engineering campaigns. While the vulnerability does not allow modification of permissions or direct compromise of data integrity or availability, the confidentiality breach can be leveraged as a stepping stone for further exploitation, especially in environments where AVideo is integrated with other systems or contains sensitive video content. Organizations relying on AVideo for video hosting or streaming may face increased risk of targeted attacks or unauthorized access attempts if this information is exposed. The risk is heightened in deployments accessible from the public internet without additional access controls.

Organizations should immediately update AVideo installations to versions that include the patches referenced by commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516, which enforce proper authentication and authorization checks on the affected endpoint. Until patches are applied, administrators should consider restricting network access to the AVideo management interface, especially the plugin/Permissions/View/Users_groups_permissions/list.json.php endpoint, using firewalls or web application firewalls (WAFs) to block unauthenticated requests. Additionally, monitoring access logs for unusual or unauthorized requests to this endpoint can help detect exploitation attempts. Reviewing and hardening overall access control policies and ensuring that all administrative endpoints require proper authentication can reduce the risk of similar oversights. Finally, organizations should educate their security teams about this vulnerability to ensure timely response and remediation.