CVE-2026-33684: CWE-862: Missing Authorization in WWBN AVideo
WWBN AVideo versions prior to 29.0 contain a missing authorization vulnerability in the signUp API. This flaw allows any user who can solve a CAPTCHA to self-assign elevated permissions such as emailVerified, canUpload, canStream, and canCreateMeet during account registration without proper authentication. This bypasses intended access controls and enables privilege escalation. The issue is fixed in version 29.0.
AI Analysis
Technical Summary
CVE-2026-33684 is a missing authorization vulnerability (CWE-862) in WWBN AVideo's signUp API prior to version 29.0. The set_api_signUp method improperly accepts and applies sensitive permission parameters from user input without verifying a valid APISecret. This allows unauthenticated users to escalate privileges by marking their accounts as email-verified and granting themselves upload, streaming, and meeting creation capabilities. The vulnerability is resolved in version 29.0.
Potential Impact
An attacker who can solve a CAPTCHA can bypass email verification and gain elevated permissions on newly created accounts, circumventing administrator-imposed restrictions. This leads to privilege escalation, allowing unauthorized upload, streaming, and meeting creation capabilities. There is no direct confidentiality or availability impact reported.
Mitigation Recommendations
Upgrade WWBN AVideo to version 29.0 or later, where this vulnerability is fixed. No official patch or temporary fix is documented beyond this version upgrade. Until upgraded, restrict access to the signUp API or implement additional authorization checks to prevent abuse.
CVE-2026-33684: CWE-862: Missing Authorization in WWBN AVideo
Description
WWBN AVideo versions prior to 29.0 contain a missing authorization vulnerability in the signUp API. This flaw allows any user who can solve a CAPTCHA to self-assign elevated permissions such as emailVerified, canUpload, canStream, and canCreateMeet during account registration without proper authentication. This bypasses intended access controls and enables privilege escalation. The issue is fixed in version 29.0.
CVSS v3.1
Score 5.3medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33684 is a missing authorization vulnerability (CWE-862) in WWBN AVideo's signUp API prior to version 29.0. The set_api_signUp method improperly accepts and applies sensitive permission parameters from user input without verifying a valid APISecret. This allows unauthenticated users to escalate privileges by marking their accounts as email-verified and granting themselves upload, streaming, and meeting creation capabilities. The vulnerability is resolved in version 29.0.
Potential Impact
An attacker who can solve a CAPTCHA can bypass email verification and gain elevated permissions on newly created accounts, circumventing administrator-imposed restrictions. This leads to privilege escalation, allowing unauthorized upload, streaming, and meeting creation capabilities. There is no direct confidentiality or availability impact reported.
Mitigation Recommendations
Upgrade WWBN AVideo to version 29.0 or later, where this vulnerability is fixed. No official patch or temporary fix is documented beyond this version upgrade. Until upgraded, restrict access to the signUp API or implement additional authorization checks to prevent abuse.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T16:34:59.931Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a57f59668715ace437838bd
Added to database: 07/15/2026, 21:03:18 UTC
Last enriched: 07/15/2026, 21:18:30 UTC
Last updated: 07/16/2026, 00:11:20 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.