WWBN AVideo is an open-source video platform widely used for video hosting and streaming. In versions up to and including 26.0, a critical vulnerability (CVE-2026-33512) exists due to improper authentication (CWE-287) in the API plugin's decryptString action. This API endpoint allows unauthenticated users to submit ciphertext and receive decrypted plaintext responses. The ciphertext tokens are publicly issued by other API endpoints such as view/url2Embed.json.php, which means any user or attacker can obtain these ciphertexts and then use the decryptString action to reveal sensitive protected tokens or metadata. This vulnerability stems from weak cryptographic handling (CWE-312, CWE-326, CWE-327) where encryption keys or mechanisms are exposed or improperly protected. The flaw enables attackers to bypass authentication controls and decrypt sensitive data without any privileges or user interaction. The vendor has addressed this issue in a patch committed under commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13. The CVSS v3.1 base score is 7.5, reflecting high severity due to network attack vector, no required privileges or user interaction, and high confidentiality impact. No integrity or availability impacts are noted. No known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is the complete compromise of confidentiality for sensitive tokens and metadata managed by the AVideo platform. Attackers can decrypt protected data that may include authentication tokens, session identifiers, or other sensitive information used to control access to video content or administrative functions. This can lead to unauthorized access to restricted videos, user data leakage, and potential further exploitation of the platform or connected systems. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely and at scale by any attacker aware of the API endpoints. Organizations relying on AVideo for video streaming or hosting may suffer data breaches, loss of user trust, and regulatory compliance issues if sensitive information is exposed. However, the vulnerability does not directly affect data integrity or system availability, limiting the scope to confidentiality breaches.

Organizations should immediately upgrade WWBN AVideo to a version later than 26.0 where the patch for CVE-2026-33512 has been applied. If upgrading is not immediately possible, administrators should restrict access to the API plugin endpoints, especially the decryptString action, by implementing network-level controls such as IP whitelisting or VPN access. Additionally, applying web application firewall (WAF) rules to detect and block unauthorized decryptString requests can reduce exposure. Review and rotate any tokens or cryptographic keys that may have been exposed due to this vulnerability. Conduct an audit of logs to detect any suspicious decryptString API usage prior to patching. Finally, follow secure coding practices to ensure cryptographic operations require proper authentication and authorization, and avoid exposing sensitive decryption functionality publicly.