CVE-2026-33692
published 2026-06-22CVE-2026-33692: AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration ## Vulnerability Details **CWE**: CWE-538 - Insertion of…
high
AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration ## Vulnerability Details **CWE**: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory The official `docker-compose.yml` (line 61) mounts the entire project root directory as the Apache document root: ```yaml volumes: - "./:/var/www/html/AVideo" ``` This causes the `.env` file — which contains database credentials, admin passwords, and infrastructure configuration — to be served as a static file at `/.env`. No `.htaccess` rule or Apache configuration blocks access to dotfiles. ### Exposed Information An unauthenticated request to `GET /.env` returns: ``` DB_MYSQL_HOST=database DB_MYSQL_USER=avideo DB_MYSQL_PASSWORD=avideo SYSTEM_ADMIN_PASSWORD=admin123 TLS_CERTIFICATE_FILE=/etc/apache2/ssl/localhost.crt TLS_CERTIFICATE_KEY=/etc/apache2/ssl/localhost.key NETWORK_SUBNET=172.30.0.0/16 ``` ## Steps to Reproduce ### Prerequisites - AVideo deployed using the official `docker-compose.yml` - No modifications to the default configuration ### Steps 1. Deploy AVideo using `docker compose up -d` 2. Send: `curl http://target/.env` 3. The full `.env` file contents are returned, including database credentials and admin password ## Impact - **Attacker**: Unauthenticated (any remote user) - **Victim**: AVideo server and database - **Specific damage**: Attacker obtains database credentials (`DB_MYSQL_USER`, `DB_MYSQL_PASSWORD`), admin password (`SYSTEM_ADMIN_PASSWORD`), and internal network topology (`NETWORK_SUBNET`). This enables direct database access, admin panel takeover, and further lateral movement within the Docker network. ## Proposed Fix Add a `.htaccess` rule to block access to dotfiles: ```apache # Block access to hidden files (.env, .git, etc.) Order Allow,Deny Deny from all ``` Or configure Apache to deny dotfile access in the virtual host configuration.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | >= 0 < 29.0 | 29.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-22
Published