CVE-2026-33502 is a Server-Side Request Forgery (SSRF) vulnerability identified in the open-source video platform WWBN AVideo, specifically affecting versions up to and including 26.0. The vulnerability resides in the plugin/Live/test.php script, which improperly handles user-supplied input to generate HTTP requests. Because this endpoint does not require authentication, any remote attacker can exploit it to coerce the AVideo server into sending HTTP requests to arbitrary URLs. This capability enables attackers to probe internal network services that are otherwise inaccessible externally, including localhost services and cloud provider metadata endpoints (such as AWS, Azure, or GCP metadata services). Access to cloud metadata endpoints can lead to credential disclosure and further compromise of cloud infrastructure. The vulnerability is classified under CWE-918 (Server-Side Request Forgery) and has a CVSS v3.1 base score of 9.3, reflecting its critical severity. The vector string (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, scope change, high confidentiality impact, low integrity impact, and no availability impact. A patch has been committed (commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3) to remediate the issue, but no public exploits have been reported yet. Given the nature of SSRF, attackers can leverage this vulnerability for reconnaissance and lateral movement within internal networks or cloud environments.

The impact of CVE-2026-33502 is significant for organizations using WWBN AVideo versions up to 26.0. Exploitation allows attackers to bypass perimeter defenses by leveraging the server as a proxy to access internal services that are not exposed externally. This can lead to unauthorized disclosure of sensitive information, including internal APIs, databases, or cloud metadata endpoints that contain credentials or configuration data. Compromise of cloud metadata services can enable attackers to escalate privileges, move laterally, or exfiltrate data from cloud environments. Although the vulnerability does not directly impact availability or integrity, the confidentiality breach alone can have severe consequences such as data leaks, account takeover, and further network compromise. The lack of authentication and user interaction requirements lowers the barrier to exploitation, increasing the risk of widespread attacks. Organizations with AVideo deployments in sensitive or regulated environments face heightened risks, especially if internal network segmentation is weak or cloud environments are used without strict metadata access controls.

To mitigate CVE-2026-33502, organizations should immediately update WWBN AVideo to a version that includes the patch (post-26.0) addressing the SSRF vulnerability. If immediate patching is not feasible, implement network-level controls to restrict outbound HTTP requests from the AVideo server, limiting them to trusted destinations only. Employ web application firewalls (WAFs) with rules designed to detect and block SSRF patterns targeting the vulnerable endpoint. Disable or restrict access to the plugin/Live/test.php script if it is not required for operational purposes. Additionally, enforce strict cloud metadata service protections, such as using Instance Metadata Service Version 2 (IMDSv2) on AWS or equivalent protections on other cloud platforms, to prevent unauthorized metadata access. Conduct internal network segmentation to isolate the AVideo server from sensitive internal services. Monitor logs for unusual outbound HTTP requests originating from the AVideo server to detect potential exploitation attempts. Finally, educate development and security teams about SSRF risks and secure coding practices to prevent similar vulnerabilities in the future.