CVE-2026-33719Missing Authentication for Critical Function in Avideo

CWE-306Missing Authentication for Critical Function4 documents4 sources
Severity
8.6HIGHNVD
EPSS
0.1%
top 68.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wwbn Avideo
Timeline
PublishedMar 23
Latest updateMar 25

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured (the default state), the key validation check is completely bypassed, allowing any unauthenticated attacker to modify the full CDN configuration — including CDN URLs, storage credentials, and the au

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:LExploitability: 3.9 | Impact: 4.7

Affected Packages2 packages

NVDwwbn/avideo26.0
Packagistwwbn/avideo26.0

Patches

Patch: github.com

🔴Vulnerability Details

2
GHSA
AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment2026-03-25
OSV
AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment2026-03-25

🕵️Threat Intelligence

1
Wiz
CVE-2026-33719 Impact, Exploitability, and Mitigation Steps | Wiz