CVE-2026-33650: CWE-863: Incorrect Authorization in WWBN AVideo
CVE-2026-33650 is a high-severity authorization vulnerability in WWBN AVideo versions up to 26. 0. It allows users with the 'Videos Moderator' permission, which is intended only for changing video publicity status, to escalate privileges and perform full video management operations including ownership transfer and deletion of any video. The flaw arises from inconsistent authorization checks between video editing and deletion endpoints, enabling a two-step exploit to first transfer ownership and then delete videos. This vulnerability can lead to unauthorized modification and removal of video content, impacting data integrity and availability. Exploitation requires low privileges but no user interaction, and the vulnerability has not been observed exploited in the wild yet. A patch has been committed to address this issue. Organizations using affected versions should prioritize updating to mitigate risks.
AI Analysis
Technical Summary
WWBN AVideo, an open-source video platform, suffers from an incorrect authorization vulnerability identified as CVE-2026-33650 (CWE-863) affecting versions up to and including 26.0. The vulnerability stems from improper permission checks in the platform's video management APIs. Specifically, the 'Videos Moderator' role is documented to allow only publicity status changes (Active, Inactive, Unlisted) but due to flawed authorization logic, users with this role can escalate privileges. The function Permissions::canModerateVideos() is used as the gatekeeper for full video editing in videoAddNew.json.php, but videoDelete.json.php only verifies video ownership without checking moderator permissions. This asymmetry allows a malicious moderator to first transfer ownership of any video to themselves and then delete it, bypassing intended restrictions. The exploit requires only low privileges and no user interaction, making it relatively easy to execute. The vulnerability impacts confidentiality (limited), integrity (high, due to unauthorized modifications), and availability (low, due to deletions). A patch has been committed (commit 838e16818c793779406ecbf34ebaeba9830e33f8) to correct the authorization checks and prevent privilege escalation.
Potential Impact
The vulnerability enables unauthorized users with limited moderator permissions to escalate their privileges and perform destructive actions such as transferring ownership and deleting any video on the platform. This can lead to significant integrity violations by allowing malicious actors to alter or remove content without authorization. Availability is also affected as videos can be deleted, potentially disrupting service and user experience. Confidentiality impact is limited since the vulnerability does not grant access to private data but could indirectly affect trust in the platform. Organizations relying on WWBN AVideo for video hosting and management risk content loss, reputational damage, and operational disruption. Attackers exploiting this flaw could manipulate or remove critical video assets, impacting educational, entertainment, or corporate communications hosted on the platform.
Mitigation Recommendations
Organizations should immediately update WWBN AVideo to the latest patched version that addresses CVE-2026-33650. If immediate patching is not possible, restrict the 'Videos Moderator' permission to trusted users only and monitor their activities closely. Implement additional access control layers such as web application firewalls (WAFs) to detect and block suspicious API calls related to video ownership transfer and deletion. Conduct thorough audits of user permissions and video ownership records to detect unauthorized changes. Employ logging and alerting mechanisms to identify unusual patterns of video edits or deletions. Review and harden authorization logic in custom deployments or forks of AVideo to ensure consistent permission checks across all video management endpoints. Finally, educate administrators and moderators about the risks of privilege escalation and enforce the principle of least privilege.
Affected Countries
United States, Germany, France, United Kingdom, Canada, Australia, India, Brazil, Japan, South Korea
CVE-2026-33650: CWE-863: Incorrect Authorization in WWBN AVideo
Description
CVE-2026-33650 is a high-severity authorization vulnerability in WWBN AVideo versions up to 26. 0. It allows users with the 'Videos Moderator' permission, which is intended only for changing video publicity status, to escalate privileges and perform full video management operations including ownership transfer and deletion of any video. The flaw arises from inconsistent authorization checks between video editing and deletion endpoints, enabling a two-step exploit to first transfer ownership and then delete videos. This vulnerability can lead to unauthorized modification and removal of video content, impacting data integrity and availability. Exploitation requires low privileges but no user interaction, and the vulnerability has not been observed exploited in the wild yet. A patch has been committed to address this issue. Organizations using affected versions should prioritize updating to mitigate risks.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo, an open-source video platform, suffers from an incorrect authorization vulnerability identified as CVE-2026-33650 (CWE-863) affecting versions up to and including 26.0. The vulnerability stems from improper permission checks in the platform's video management APIs. Specifically, the 'Videos Moderator' role is documented to allow only publicity status changes (Active, Inactive, Unlisted) but due to flawed authorization logic, users with this role can escalate privileges. The function Permissions::canModerateVideos() is used as the gatekeeper for full video editing in videoAddNew.json.php, but videoDelete.json.php only verifies video ownership without checking moderator permissions. This asymmetry allows a malicious moderator to first transfer ownership of any video to themselves and then delete it, bypassing intended restrictions. The exploit requires only low privileges and no user interaction, making it relatively easy to execute. The vulnerability impacts confidentiality (limited), integrity (high, due to unauthorized modifications), and availability (low, due to deletions). A patch has been committed (commit 838e16818c793779406ecbf34ebaeba9830e33f8) to correct the authorization checks and prevent privilege escalation.
Potential Impact
The vulnerability enables unauthorized users with limited moderator permissions to escalate their privileges and perform destructive actions such as transferring ownership and deleting any video on the platform. This can lead to significant integrity violations by allowing malicious actors to alter or remove content without authorization. Availability is also affected as videos can be deleted, potentially disrupting service and user experience. Confidentiality impact is limited since the vulnerability does not grant access to private data but could indirectly affect trust in the platform. Organizations relying on WWBN AVideo for video hosting and management risk content loss, reputational damage, and operational disruption. Attackers exploiting this flaw could manipulate or remove critical video assets, impacting educational, entertainment, or corporate communications hosted on the platform.
Mitigation Recommendations
Organizations should immediately update WWBN AVideo to the latest patched version that addresses CVE-2026-33650. If immediate patching is not possible, restrict the 'Videos Moderator' permission to trusted users only and monitor their activities closely. Implement additional access control layers such as web application firewalls (WAFs) to detect and block suspicious API calls related to video ownership transfer and deletion. Conduct thorough audits of user permissions and video ownership records to detect unauthorized changes. Employ logging and alerting mechanisms to identify unusual patterns of video edits or deletions. Review and harden authorization logic in custom deployments or forks of AVideo to ensure consistent permission checks across all video management endpoints. Finally, educate administrators and moderators about the risks of privilege escalation and enforce the principle of least privilege.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T15:23:42.217Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c18a60f4197a8e3b8159f6
Added to database: 3/23/2026, 6:45:52 PM
Last enriched: 3/30/2026, 8:40:52 PM
Last updated: 5/7/2026, 8:32:56 PM
Views: 66
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.