The vulnerability identified as CVE-2026-33688 affects WWBN AVideo, an open-source video platform, in all versions up to and including 26.0. The issue resides in the password recovery endpoint located at `objects/userRecoverPass.php`. This endpoint checks for user existence and account status (active, inactive, banned) before validating the captcha challenge. Consequently, it returns three distinct JSON error responses that reveal whether a username exists and its account status. Because these responses differ, an unauthenticated attacker can enumerate valid usernames and determine account states without needing to solve any captcha, enabling large-scale automated enumeration. This behavior corresponds to CWE-204 (Observable Response Discrepancy), a class of vulnerabilities where differences in error messages leak sensitive information. The vulnerability does not allow direct compromise of account credentials or system integrity but leaks information that can be leveraged for further attacks such as targeted phishing, credential stuffing, or social engineering. The CVSS 3.1 base score is 5.3 (medium), reflecting the low complexity of exploitation (no privileges or user interaction required) but limited impact (confidentiality only, no integrity or availability impact). A patch has been committed (commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157) that presumably normalizes responses and enforces captcha validation before user existence checks, mitigating the enumeration risk.

The primary impact of this vulnerability is information disclosure through user enumeration and account status detection. Attackers can compile lists of valid usernames and identify which accounts are active, inactive, or banned. This information can be exploited to craft targeted phishing campaigns, perform credential stuffing attacks with higher success rates, or identify privileged or sensitive accounts for further compromise attempts. While the vulnerability does not directly allow account takeover or system compromise, it significantly lowers the attacker's effort in reconnaissance and increases the likelihood of successful downstream attacks. Organizations relying on WWBN AVideo for video hosting or streaming services may face increased risk of user account abuse, privacy violations, and reputational damage. The vulnerability affects all unauthenticated users, making it accessible to any external attacker scanning for vulnerable instances. No known exploits in the wild have been reported yet, but the ease of exploitation and the value of enumerated data make it a credible threat.

To mitigate this vulnerability, organizations should immediately apply the official patch referenced by commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 once available. In the absence of a patch, administrators can implement the following measures: 1) Modify the password recovery endpoint to perform captcha validation before any user existence or account status checks, preventing automated enumeration. 2) Normalize all error responses to be identical regardless of username validity or account status, eliminating observable discrepancies. 3) Implement rate limiting and IP throttling on password recovery requests to reduce the feasibility of large-scale enumeration. 4) Monitor logs for suspicious enumeration patterns and block offending IP addresses. 5) Educate users about phishing risks and encourage strong, unique passwords combined with multi-factor authentication to reduce the impact of credential stuffing. 6) Consider deploying Web Application Firewalls (WAFs) with rules to detect and block enumeration attempts targeting this endpoint. These steps collectively reduce the attack surface and limit the information leakage that facilitates further attacks.