WWBN AVideo, an open-source video platform, suffers from a critical CSRF vulnerability identified as CVE-2026-33649 affecting all versions up to and including 26.0. The vulnerability centers on the `plugin/Permissions/setPermission.json.php` endpoint, which accepts GET parameters to perform state-changing operations that modify user group permissions. Crucially, this endpoint lacks any CSRF token validation, violating standard security practices that prevent unauthorized state changes via cross-site requests. Compounding the issue, the application explicitly sets session cookies with the attribute `SameSite=None`, which allows cookies to be sent in cross-site contexts, enabling CSRF attacks to succeed. An attacker can exploit this by crafting a malicious webpage embedding `<img>` tags that issue GET requests to the vulnerable endpoint. When an administrator visits this malicious page, their browser automatically sends the session cookie, and the request silently grants arbitrary permissions to the attacker's user group. This results in privilege escalation to near-admin access without requiring the attacker to authenticate or interact beyond the page visit. The vulnerability has a CVSS v3.1 base score of 8.1, indicating high severity due to its low attack complexity, no required privileges, and significant impact on confidentiality and integrity. As of the publication date, no patches or updates have been released to address this flaw, leaving systems exposed. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery).

The impact of CVE-2026-33649 is significant for organizations using WWBN AVideo, especially those relying on it for managing video content and user permissions. Successful exploitation allows an unauthenticated attacker to escalate privileges by granting their user group arbitrary permissions, effectively gaining near-administrative control over the platform. This can lead to unauthorized access to sensitive video content, manipulation or deletion of videos, alteration of user roles, and potential disruption of service. Confidentiality is severely compromised as attackers can access restricted content, and integrity is undermined by unauthorized permission changes. Availability impact is minimal but could occur indirectly if attackers disrupt administrative functions. Given the ease of exploitation—requiring only that an admin visit a malicious page—and the lack of authentication barriers, the threat is acute. Organizations with multiple administrators or those with high-value content are at elevated risk. The absence of a patch increases exposure duration, potentially inviting targeted attacks once exploit code becomes public.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict administrative access to trusted networks or VPNs to reduce exposure to external CSRF attempts. 2) Educate administrators to avoid visiting untrusted or suspicious websites while logged into the AVideo platform. 3) Employ web application firewalls (WAFs) to detect and block suspicious requests to the vulnerable endpoint, especially those originating from cross-site contexts or containing unusual GET parameters. 4) Modify server or application configurations to enforce stricter SameSite cookie policies (e.g., SameSite=Lax or Strict) if feasible, to prevent cookies from being sent on cross-site requests. 5) Implement additional authentication or confirmation steps for permission changes, such as requiring re-authentication or out-of-band verification. 6) Monitor logs for unusual permission changes or access patterns indicative of exploitation attempts. 7) Consider isolating or disabling the vulnerable endpoint temporarily if it is not critical to operations. These targeted actions go beyond generic advice and address the specific mechanics of this CSRF vulnerability.