WWBN AVideo, an open-source video platform, suffers from a critical CSRF vulnerability (CVE-2026-33649) in versions up to and including 26.0. The vulnerability resides in the plugin/Permissions/setPermission.json.php endpoint, which accepts GET parameters to perform state-changing operations that modify user group permissions. Crucially, this endpoint lacks any CSRF token validation, violating best practices for preventing unauthorized state changes via cross-site requests. Compounding the issue, the application explicitly sets session cookies with the attribute SameSite=None, which allows cookies to be sent with cross-origin requests, thereby enabling CSRF attacks. An attacker can exploit this by crafting a malicious webpage containing <img> tags that issue GET requests to the vulnerable endpoint. When an administrator visits this malicious page, the browser sends the admin's session cookie along with the GET request, silently modifying permissions to grant the attacker’s user group elevated privileges. This effectively escalates the attacker to near-admin access without authentication or user interaction beyond visiting the malicious page. The vulnerability has a CVSS 3.1 score of 8.1, reflecting its high impact on confidentiality and integrity. As of the publication date, no patches or fixes have been released, and no active exploits have been reported. The vulnerability highlights a critical design flaw in permission management and session cookie handling within AVideo.

The impact of CVE-2026-33649 is significant for organizations using WWBN AVideo versions 26.0 and earlier. Successful exploitation allows an unauthenticated attacker to escalate privileges by silently modifying user group permissions through CSRF attacks. This can lead to near-administrative access, enabling the attacker to control video content, user management, and potentially deploy further malicious actions within the platform. The confidentiality and integrity of the platform’s data are severely compromised, as attackers can manipulate permissions and access sensitive information or disrupt service operations. Given the lack of authentication and the ease of exploitation via a simple visit to a malicious webpage, the threat surface is broad. Organizations relying on AVideo for video hosting, streaming, or content management face risks of unauthorized access, data leakage, and operational disruption. The absence of patches increases exposure time, making proactive mitigation critical. Additionally, the explicit use of SameSite=None on session cookies exacerbates the risk by facilitating cross-origin requests that carry authentication tokens.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict administrative access to trusted networks or VPNs to reduce exposure to external CSRF attacks. 2) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests to the setPermission.json.php endpoint, especially those originating from external or untrusted domains. 3) Disable or limit the use of SameSite=None on session cookies if possible, or configure cookies with SameSite=Lax or Strict to prevent cross-site requests from carrying session tokens. 4) Educate administrators to avoid visiting untrusted websites while logged into the AVideo admin interface. 5) Monitor logs for unusual permission changes or access patterns indicative of CSRF exploitation attempts. 6) If feasible, implement manual CSRF token validation or request method restrictions (e.g., disallow GET for state-changing operations) via custom patches or reverse proxies. 7) Isolate the AVideo administrative interface behind additional authentication layers or multi-factor authentication to reduce risk. These targeted mitigations go beyond generic advice and address the specific mechanics of this vulnerability.