cbcvebase.
CVE-2026-33692
published 2026-06-22

CVE-2026-33692: AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration ## Vulnerability Details **CWE**: CWE-538 - Insertion of…

high
AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration

## Vulnerability Details

**CWE**: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory

The official `docker-compose.yml` (line 61) mounts the entire project root directory as the Apache document root:

```yaml
volumes:
- "./:/var/www/html/AVideo"
```

This causes the `.env` file — which contains database credentials, admin passwords, and infrastructure configuration — to be served as a static file at `/.env`. No `.htaccess` rule or Apache configuration blocks access to dotfiles.

### Exposed Information

An unauthenticated request to `GET /.env` returns:

```
DB_MYSQL_HOST=database
DB_MYSQL_USER=avideo
DB_MYSQL_PASSWORD=avideo
SYSTEM_ADMIN_PASSWORD=admin123
TLS_CERTIFICATE_FILE=/etc/apache2/ssl/localhost.crt
TLS_CERTIFICATE_KEY=/etc/apache2/ssl/localhost.key
NETWORK_SUBNET=172.30.0.0/16
```

## Steps to Reproduce

### Prerequisites
- AVideo deployed using the official `docker-compose.yml`
- No modifications to the default configuration

### Steps
1. Deploy AVideo using `docker compose up -d`
2. Send: `curl http://target/.env`
3. The full `.env` file contents are returned, including database credentials and admin password

## Impact

- **Attacker**: Unauthenticated (any remote user)
- **Victim**: AVideo server and database
- **Specific damage**: Attacker obtains database credentials (`DB_MYSQL_USER`, `DB_MYSQL_PASSWORD`), admin password (`SYSTEM_ADMIN_PASSWORD`), and internal network topology (`NETWORK_SUBNET`). This enables direct database access, admin panel takeover, and further lateral movement within the Docker network.

## Proposed Fix

Add a `.htaccess` rule to block access to dotfiles:

```apache
# Block access to hidden files (.env, .git, etc.)

Order Allow,Deny
Deny from all

```

Or configure Apache to deny dotfile access in the virtual host configuration.

Affected

1 ranges
VendorProductVersion rangeFixed in
wwbnavideo>= 0 < 29.029.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.