WWBN AVideo Unauthenticated Privilege Escalation via CSRF (CVE-2026-33649)
WWBN AVideo platform versions up to 26.0 are vulnerable to privilege escalation via a CSRF vulnerability in the `plugin/Permissions/setPermission.json.php` endpoint, allowing an unauthenticated attacker to escalate privileges to near-admin access.
WWBN AVideo, an open source video platform, is vulnerable to an unauthenticated privilege escalation vulnerability (CVE-2026-33649) in versions up to and including 26.0. The vulnerability exists within the plugin/Permissions/setPermission.json.php endpoint, which lacks CSRF token validation. Furthermore, the application explicitly sets session.cookie_samesite=None on session cookies, making it susceptible to cross-site request forgery (CSRF) attacks. An attacker can exploit this by crafting a malicious HTML page containing <img> tags that, when visited by an authenticated administrator, silently grant arbitrary permissions to a user group controlled by the attacker. This results in the attacker gaining near-administrator privileges on the AVideo platform. There is currently no patched version available.
Attack Chain
- Attacker identifies a vulnerable AVideo instance running version 26.0 or earlier.
- Attacker registers a low-privilege user account on the AVideo platform.
- Attacker crafts a malicious HTML page containing multiple
<img>tags. Each<img>tag'ssrcattribute points to the vulnerableplugin/Permissions/setPermission.json.phpendpoint on the target AVideo instance. - The GET parameters within the
srcattribute of the<img>tags are constructed to grant specific administrative permissions to the attacker's user group. This includes permissions to manage users, videos, plugins, and other sensitive settings. - The attacker social engineers an administrator of the AVideo instance to visit the malicious HTML page. This could be achieved through phishing or by hosting the page on a website likely to be visited by the admin.
- When the administrator visits the page, their browser automatically sends HTTP GET requests to the AVideo instance for each
<img>tag. Becausesession.cookie_samesiteis set toNoneand no CSRF token is required, the administrator's session cookie is sent with these requests. - The AVideo server processes these requests as if they were legitimate actions performed by the administrator, granting the specified permissions to the attacker's user group.
- The attacker logs into their low-privilege account and now has elevated privileges, allowing them to perform administrative tasks such as modifying system settings, uploading malicious videos, or creating new administrator accounts.
Impact
Successful exploitation of this vulnerability allows an unauthenticated attacker to gain near-administrator level access to the AVideo platform. This can lead to complete compromise of the platform, including unauthorized modification of video content, access to sensitive user data, and the ability to inject malicious code into the platform. The lack of a patched version means all vulnerable AVideo instances are at risk until an update is released and applied. The severity is high due to the ease of exploitation and the significant impact on confidentiality, integrity, and availability.
Recommendation
- Deploy the Sigma rule
AVideo_Privilege_Escalation_Image_Requestto detect suspicious requests to theplugin/Permissions/setPermission.json.phpendpoint in your web server logs. - Deploy the Sigma rule
AVideo_Privilege_Escalation_Cookie_Settingto detect instances wheresession.cookie_samesiteis explicitly set toNonein the application's HTTP responses, which is the prerequisite for this CSRF exploit. - Monitor web server logs for unexpected GET requests to the
plugin/Permissions/setPermission.json.phpendpoint originating from unusual referrers or user agents. - Until a patch is released, implement a temporary mitigation by adding CSRF protection to the
plugin/Permissions/setPermission.json.phpendpoint. This may require code modifications. - Apply available patches as soon as they are released by WWBN for AVideo to address CVE-2026-33649.
Detection coverage 2
AVideo Privilege Escalation Image Request
highDetects suspicious GET requests to the `plugin/Permissions/setPermission.json.php` endpoint, potentially indicating a CSRF attack attempting to escalate privileges.
AVideo Privilege Escalation Cookie Setting
mediumDetects when the `session.cookie_samesite` attribute is set to 'None' in HTTP responses, a configuration that increases the risk of CSRF attacks.
Detection queries are available on the platform. Get full rules →