WWBN AVideo is an open-source video platform that includes a CDN plugin to manage content delivery network settings. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` rely on a key-based authentication mechanism. However, the default key is an empty string, which means if administrators do not explicitly configure a key, the authentication check is bypassed entirely. This missing authentication for critical functions (CWE-306) allows any unauthenticated attacker to send crafted requests with the 'par' parameter to perform mass-assignment, modifying the entire CDN configuration. This includes changing CDN URLs, storage credentials, and even the authentication key itself, effectively granting full control over CDN settings. The vulnerability is remotely exploitable without any privileges or user interaction, making it highly dangerous. The CVSS 3.1 score of 8.6 reflects the high impact on integrity and moderate impact on confidentiality and availability. Although no known exploits are reported in the wild yet, a patch has been committed (commit adeff0a31ba04a56f411eef256139fd7ed7d4310) to address the issue by enforcing proper authentication checks.

This vulnerability allows attackers to fully control the CDN configuration of affected WWBN AVideo instances, which can lead to several severe consequences. Attackers can redirect video content delivery to malicious or unauthorized servers, potentially distributing malicious content or intercepting user data, impacting confidentiality. They can alter storage credentials, risking data theft or deletion, affecting integrity and availability. Changing authentication keys can lock out legitimate administrators, causing denial of service. The ability to perform these actions without authentication and remotely increases the risk of widespread exploitation. Organizations relying on AVideo for video streaming, especially those using the CDN plugin, face risks of content tampering, data breaches, service disruption, and reputational damage. The vulnerability undermines trust in the platform’s security and could be leveraged in broader supply chain or content poisoning attacks.

Organizations should immediately upgrade WWBN AVideo to a version that includes the patch fixing CVE-2026-33719. If upgrading is not immediately possible, administrators must ensure that the CDN plugin key is explicitly configured to a strong, non-empty value to prevent bypass of authentication. Review and restrict access to the CDN plugin endpoints via network controls such as firewalls or web application firewalls (WAFs) to limit exposure. Implement monitoring and alerting for unexpected changes to CDN configuration parameters. Conduct regular audits of plugin configurations and access logs to detect unauthorized modifications. Additionally, consider isolating the AVideo management interface from public networks or restricting it to trusted IP ranges. Finally, educate administrators on the importance of configuring security keys and promptly applying security patches.