CVE-2026-33684
published 2026-06-22CVE-2026-33684: AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions ## Summary The…
medium
AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions
## Summary
The `set_api_signUp` method in the API plugin accepts `emailVerified`, `canUpload`, `canStream`, and `canCreateMeet` parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid APISecret. Any anonymous user who can solve a CAPTCHA can self-grant elevated permissions during account registration.
## Details
The authentication check in `set_api_signUp` (`plugin/API/API.php:4222`) allows either a valid APISecret (admin-level credential) or a solved CAPTCHA (anonymous access):
```php
// plugin/API/API.php:4222-4232
if ($obj->APISecret !== @$_REQUEST['APISecret']) {
if(empty($_REQUEST['captcha'])){
return new ApiObject("Captcha is required");
}
require_once $global['systemRootPath'] . 'objects/captcha.php';
$valid = Captcha::validation($_REQUEST['captcha']);
if(!$valid){
return new ApiObject("Captcha is wrong, reload it and try again");
}
}
```
After this check, both code paths (APISecret and CAPTCHA) reach the privilege parameter handling unconditionally:
```php
// plugin/API/API.php:4238-4249
if (isset($_REQUEST['emailVerified'])) {
$global['emailVerified'] = intval($_REQUEST['emailVerified']);
}
if (isset($_REQUEST['canCreateMeet'])) {
$global['canCreateMeet'] = intval($_REQUEST['canCreateMeet']);
}
if (isset($_REQUEST['canStream'])) {
$global['canStream'] = intval($_REQUEST['canStream']);
}
if (isset($_REQUEST['canUpload'])) {
$global['canUpload'] = intval($_REQUEST['canUpload']);
}
```
These `$global` values are then consumed by `User::save()` (`objects/user.php:829-840`), which overrides the user object's permission fields:
```php
// objects/user.php:829-840
if (isset($global['emailVerified'])) {
$this->emailVerified = $global['emailVerified'];
}
if (isset($global['canCreateMeet'])) {
$this->canCreateMeet = $global['canCreateMeet'];
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | >= 0 < 29.0 | 29.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-22
Published