The vulnerability identified as CVE-2026-33688 affects WWBN AVideo, an open-source video platform, in versions up to and including 26.0. The issue lies in the password recovery endpoint located at `objects/userRecoverPass.php`. This endpoint performs user existence and account status verification before validating the captcha challenge. As a result, an unauthenticated attacker can send requests to this endpoint and receive one of three distinct JSON error responses indicating whether a username exists and if the account is active, inactive, or banned. This behavior constitutes an observable response discrepancy (CWE-204) that enables user enumeration attacks without requiring any user interaction or captcha solving. The vulnerability does not allow direct password resets or account takeover but leaks sensitive information about user accounts. The patch, referenced by commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157, modifies the logic to ensure captcha validation occurs before any user or account status checks, preventing attackers from distinguishing account states via response differences. The CVSS v3.1 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact. No known exploits are currently reported in the wild.

The primary impact of this vulnerability is information disclosure through user enumeration and account status enumeration. Attackers can compile lists of valid usernames and identify which accounts are active, inactive, or banned. This information can be leveraged to conduct targeted phishing campaigns, credential stuffing attacks using leaked or common passwords, or social engineering attacks aimed at specific users. While the vulnerability does not allow direct account compromise or denial of service, the leaked information reduces the security posture of affected organizations by facilitating further attacks. Organizations with large user bases or high-value accounts on WWBN AVideo platforms are at greater risk. Additionally, attackers could automate enumeration at scale due to the lack of captcha enforcement before user checks, increasing the threat magnitude. The exposure of banned or inactive account statuses may also reveal internal account management policies or user behavior patterns.

To mitigate this vulnerability, organizations should immediately apply the patch referenced by commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 or upgrade to a fixed version beyond 26.0. Beyond patching, it is recommended to redesign the password recovery workflow to validate captcha challenges before any user existence or account status checks to prevent response discrepancies. Implement rate limiting and IP-based throttling on password recovery endpoints to reduce automated enumeration attempts. Logging and monitoring of suspicious password recovery requests can help detect enumeration activity. Consider implementing generic error messages that do not reveal account existence or status information. Additionally, multi-factor authentication (MFA) should be enforced on accounts to mitigate risks from credential stuffing attacks that may follow enumeration. Regular security assessments of authentication and recovery endpoints are advised to identify similar logic flaws.