AVideo HLS Path Traversal Vulnerability (CVE-2026-33292)
AVideo versions before 26.0 are vulnerable to an unauthenticated path traversal attack via the HLS streaming endpoint, allowing unauthorized access to private or paid videos by manipulating the `videoDirectory` GET parameter due to inconsistent path handling.
WWBN AVideo, an open-source video platform, is susceptible to a path traversal vulnerability in versions prior to 26.0. The vulnerability, identified as CVE-2026-33292, resides within the HLS streaming endpoint (view/hls.php). An unauthenticated attacker can exploit this flaw to bypass authorization checks and stream private or paid videos without proper credentials. The root cause lies in the inconsistent handling of the videoDirectory GET parameter, where authorization checks truncate the path while file access preserves traversal sequences ("../"), creating a split-oracle condition. Successful exploitation grants unauthorized access to restricted content, potentially leading to data leakage and financial losses for content creators and platform owners. The vulnerability was patched in version 26.0.
Attack Chain
- The attacker crafts a malicious HTTP GET request targeting the
view/hls.phpendpoint. - The request includes the
videoDirectoryparameter with a path traversal sequence (e.g.,../../private_video). - The authorization check truncates the
videoDirectoryparameter at the first/, effectively validating against a different, potentially public, video. - The file access mechanism uses the original, untruncated
videoDirectoryparameter, resolving the path with traversal sequences. - The server retrieves the content from the specified private video file based on the manipulated path.
- The server streams the content of the unauthorized video back to the attacker.
- The attacker gains unauthorized access to private or paid video content.
Impact
Successful exploitation of CVE-2026-33292 allows unauthenticated attackers to bypass access controls and stream private or paid videos on vulnerable AVideo platforms. This can lead to unauthorized access to sensitive content, financial losses for content creators who rely on paid subscriptions, and reputational damage for the platform. The number of affected AVideo installations is currently unknown, but any instance running a version prior to 26.0 is potentially vulnerable.
Recommendation
- Upgrade AVideo installations to version 26.0 or later to patch CVE-2026-33292.
- Deploy the Sigma rule
AVideo HLS Path Traversal Attemptto detect exploitation attempts against the vulnerable endpoint. - Monitor web server logs for suspicious requests to
view/hls.phpcontaining path traversal sequences in thevideoDirectoryparameter to identify potential attacks.
Detection coverage 2
AVideo HLS Path Traversal Attempt
highDetects path traversal attempts in the AVideo HLS streaming endpoint by monitoring the videoDirectory parameter for '..' sequences.
AVideo HLS Unauthorized Access Attempt
mediumDetects potential unauthorized access attempts to AVideo HLS endpoint based on HTTP status codes.
Detection queries are available on the platform. Get full rules →