WWBN AVideo, an open-source video platform, suffers from an improper authentication vulnerability identified as CVE-2026-33512. In versions up to and including 26.0, the API plugin includes a decryptString action that lacks any authentication controls. This means that any unauthenticated user can submit ciphertext to this API endpoint and receive the decrypted plaintext in response. The ciphertext tokens themselves are publicly obtainable through other API endpoints such as view/url2Embed.json.php, which means an attacker can easily gather ciphertext and then use the decryptString action to recover sensitive protected tokens and metadata. This vulnerability stems from CWE-287 (Improper Authentication) and is related to cryptographic weaknesses (CWE-312, CWE-326, CWE-327) due to exposing cryptographic operations without proper access controls. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting its high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and a high impact on confidentiality. The flaw does not impact integrity or availability. A patch has been committed (commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13) to address this issue by enforcing authentication on the decryptString action. No known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive tokens and metadata that are intended to be protected within the AVideo platform. Attackers can decrypt ciphertext tokens without any authentication, potentially exposing user session tokens, embed URLs, or other confidential information. This breach of confidentiality could lead to further attacks such as unauthorized access to video content, impersonation, or data leakage. Since the vulnerability does not affect integrity or availability, it does not allow attackers to modify data or disrupt service directly. However, the exposure of sensitive tokens could indirectly facilitate privilege escalation or unauthorized actions if combined with other vulnerabilities or social engineering. Organizations relying on AVideo for video hosting or streaming services risk reputational damage, loss of user trust, and potential regulatory compliance issues related to data protection. The ease of exploitation (no authentication or user interaction required) and the public availability of ciphertext tokens increase the likelihood of exploitation if the vulnerability is not patched promptly.

Organizations should immediately upgrade WWBN AVideo to a version later than 26.0 where the patch commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 has been applied. If upgrading is not immediately possible, administrators should disable or restrict access to the decryptString API endpoint to trusted users only, for example by implementing network-level access controls or API gateway authentication. Review and audit API usage logs for any suspicious decryptString requests. Additionally, consider rotating any tokens or credentials that may have been exposed due to this vulnerability. Implement strict access control policies around cryptographic operations and ensure that sensitive API actions require proper authentication and authorization. Regularly monitor WWBN security advisories for updates and apply patches promptly. Finally, educate developers and administrators on secure API design to avoid exposing cryptographic functions without authentication.