WWBN AVideo is an open-source video platform that supports live streaming. In versions up to and including 26.0, the live stream control endpoint located at plugin/Live/standAloneFiles/control.json.php contains a critical improper authentication vulnerability (CWE-287). This endpoint accepts a user-supplied parameter named streamerURL, which is intended to specify the URL for token verification requests. However, due to insufficient validation, an attacker can supply a malicious streamerURL pointing to a server they control. This malicious server can respond with a fabricated token verification response indicating success ("{"error": false}"), effectively bypassing the authentication mechanism. As a result, the attacker gains unauthenticated control over live stream management functions, including forcibly dropping active stream publishers, starting or stopping recordings, and probing whether streams exist. This vulnerability allows attackers to disrupt live streaming services, manipulate content, and gather information about streaming activity without any authentication or user interaction. The vulnerability has been assigned CVE-2026-33716 and carries a CVSS 3.1 base score of 9.4 (critical), reflecting its high impact and ease of exploitation. A patch addressing this issue is available in commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128, which presumably corrects the validation of the streamerURL parameter or removes the ability to redirect token verification requests.

The impact of CVE-2026-33716 is severe for organizations deploying WWBN AVideo versions 26.0 or earlier. Attackers can gain unauthorized control over live streaming operations without any credentials or user interaction, leading to significant confidentiality, integrity, and availability risks. Confidentiality is impacted as attackers can probe stream existence, potentially revealing sensitive streaming activity. Integrity is compromised because attackers can manipulate live streams by forcibly dropping publishers or altering recording states, undermining trust in the platform. Availability is affected as attackers can disrupt live broadcasts by stopping streams or recordings, causing service outages and reputational damage. For organizations relying on live streaming for communications, education, or entertainment, this can result in operational disruption, loss of audience trust, and potential financial losses. The vulnerability's ease of exploitation and lack of authentication requirements make it attractive for attackers, increasing the likelihood of exploitation if unpatched. Although no known exploits in the wild are reported yet, the critical severity and public disclosure necessitate immediate remediation to prevent potential attacks.

To mitigate CVE-2026-33716, organizations should immediately upgrade WWBN AVideo to a version that includes the patch from commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 or later. If upgrading is not immediately possible, implement the following specific mitigations: 1) Restrict access to the live stream control endpoint (plugin/Live/standAloneFiles/control.json.php) via network controls such as firewall rules or VPNs to trusted users only. 2) Monitor and log all requests to the live stream control endpoint to detect anomalous or unauthorized usage patterns, especially unusual streamerURL parameters. 3) Employ web application firewalls (WAFs) with custom rules to block requests containing suspicious or external streamerURL values. 4) Conduct thorough code reviews and testing to ensure that any user-supplied URLs used for token verification are strictly validated against a whitelist of trusted domains or disabled if unnecessary. 5) Educate administrators and developers about the risks of redirecting authentication requests to user-controlled endpoints and enforce secure coding practices. 6) Regularly audit and update all dependencies and plugins to minimize exposure to known vulnerabilities. These targeted actions, combined with patching, will reduce the risk of exploitation and limit the attack surface.