WWBN AVideo Arbitrary Local File Read Vulnerability (CVE-2026-33354)
WWBN AVideo versions up to 26.0 are vulnerable to an arbitrary local file read via the `chunkFile` parameter in the `POST /objects/aVideoEncoder.json.php` endpoint, allowing authenticated users to read sensitive server files.
WWBN AVideo, an open-source video platform, is susceptible to an arbitrary local file read vulnerability (CVE-2026-33354) in versions up to and including 26.0. The vulnerability resides in the POST /objects/aVideoEncoder.json.php endpoint, which processes chunkFile parameters intended for handling staged upload chunks. However, the application fails to adequately restrict the file paths provided through this parameter. An authenticated user, with privileges to edit their own videos, can manipulate the chunkFile parameter to specify arbitrary local file paths. The application's isValidURLOrPath() helper function, designed to validate file paths, permits access to files within broad server directories such as /var/www/, the application root, cache, tmp, and videos, effectively bypassing security measures and enabling unauthorized file access. This vulnerability allows an attacker to read sensitive files from the server, potentially exposing configuration details, database credentials, or other confidential information. A patch addressing this issue is available in commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f.
Attack Chain
- Attacker authenticates to the AVideo platform with a valid user account that has permission to edit videos.
- The attacker identifies a target file on the server they wish to read (e.g.,
/var/www/avideo/configuration.php). - The attacker crafts a
POSTrequest to/objects/aVideoEncoder.json.php. - In the
POSTrequest body, the attacker sets thechunkFileparameter to the absolute path of the target file (e.g.,chunkFile=/var/www/avideo/configuration.php). - The AVideo application receives the request and calls
isValidURLOrPath()on the suppliedchunkFilevalue. - Since the path is within allowed directories and is not a
.phpfile,isValidURLOrPath()returns true. - The application copies the content of the target file to the attacker's public video storage path.
- The attacker accesses the copied file via HTTP from their video storage path.
Impact
Successful exploitation of CVE-2026-33354 allows an attacker to read arbitrary files from the AVideo server, potentially leading to the disclosure of sensitive information such as configuration files, database credentials, or source code. This information can be used to further compromise the server, escalate privileges, or gain unauthorized access to user data. The number of victims depends on the deployment size of the vulnerable AVideo platform. Sectors affected could include media, education, and any organization using AVideo for video hosting.
Recommendation
- Upgrade AVideo to a version containing the patch from commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f to remediate CVE-2026-33354.
- Deploy the Sigma rule "Detect AVideo ChunkFile LFI Attempt" to your SIEM to detect exploitation attempts.
- Monitor web server logs for
POSTrequests to/objects/aVideoEncoder.json.phpwith suspiciouschunkFileparameters referencing sensitive file paths. - Implement stricter input validation and sanitization for file paths used in file upload functionalities to prevent arbitrary file access.
Detection coverage 2
Detect AVideo ChunkFile LFI Attempt
highDetects potential local file inclusion attempts via the chunkFile parameter in AVideo's aVideoEncoder.json.php endpoint.
Detect AVideo ChunkFile LFI Attempt - PHP Exclusion Bypass
mediumDetects potential local file inclusion attempts via the chunkFile parameter in AVideo's aVideoEncoder.json.php endpoint, specifically targeting bypasses of .php exclusion.
Detection queries are available on the platform. Get full rules →