CVE-2026-33719 is a vulnerability identified in the WWBN AVideo open-source video platform, specifically affecting versions up to and including 26.0. The issue resides in the CDN plugin, which exposes two endpoints: `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php`. These endpoints rely on key-based authentication; however, the default key is an empty string. If administrators do not explicitly configure a non-empty key, the authentication check is effectively bypassed, allowing any unauthenticated attacker to access these endpoints. Through mass-assignment via the `par` request parameter, attackers can manipulate the entire CDN configuration, including critical parameters such as CDN URLs, storage credentials, and even the authentication key itself. This vulnerability is classified under CWE-306, indicating missing authentication for critical functions. The flaw allows attackers to alter the integrity of the CDN configuration, potentially redirecting video content delivery, exfiltrating credentials, or locking out legitimate administrators by changing keys. The CVSS v3.1 base score is 8.6, reflecting a high severity due to network attack vector, no required privileges or user interaction, and significant impact on integrity with some impact on confidentiality and availability. Although no known exploits are reported in the wild, the vulnerability presents a serious risk to affected deployments. A patch has been committed (commit adeff0a31ba04a56f411eef256139fd7ed7d4310) to enforce proper authentication and prevent bypass. Organizations should update to patched versions and audit their CDN plugin configurations to ensure keys are properly set and endpoints are secured.

The vulnerability allows unauthenticated attackers to fully control the CDN plugin configuration in WWBN AVideo installations running vulnerable versions. This can lead to several impactful scenarios: attackers can redirect video content delivery to malicious or unauthorized servers, potentially distributing malicious content or intercepting user data. They can exfiltrate or alter storage credentials, risking data theft or loss. Changing authentication keys can lock out legitimate administrators, causing denial of service or persistent unauthorized access. The integrity of the video delivery infrastructure is severely compromised, and confidentiality is partially impacted due to exposure of sensitive configuration data. Availability impact is low but possible if attackers disable CDN functionality. Organizations relying on AVideo for content delivery face risks of brand damage, user trust erosion, and potential regulatory consequences if user data is exposed or manipulated. The ease of exploitation and lack of authentication requirements increase the likelihood of attacks, especially in environments where default configurations are left unchanged.

To mitigate this vulnerability, organizations should immediately update WWBN AVideo to a version that includes the patch commit adeff0a31ba04a56f411eef256139fd7ed7d4310 or later. If immediate patching is not possible, administrators must ensure that the CDN plugin key is explicitly configured to a strong, non-empty value to prevent authentication bypass. Access to the CDN plugin endpoints should be restricted using network controls such as firewall rules or VPNs to limit exposure to trusted administrators only. Regular audits of CDN plugin configurations should be conducted to detect unauthorized changes. Implement monitoring and alerting on configuration changes to quickly identify suspicious activity. Additionally, consider isolating the AVideo platform within a segmented network zone to reduce the blast radius of potential exploitation. Finally, educate administrators about the risks of default configurations and enforce secure deployment practices.