CVE-2026-33292: Php RCE — Patch Guide

Overview

A significant security vulnerability, tracked as CVE-2026-33292, has been identified in the WWBN AVideo open-source video platform. This flaw allows an unauthenticated attacker to bypass access controls and stream videos that are meant to be private or behind a paywall. The issue affects all versions prior to 26.0.

Vulnerability Explained

In simple terms, the vulnerability is a path traversal flaw in the platform’s HLS video streaming component (view/hls.php). The system uses a parameter called videoDirectory to identify which video to play. Due to a critical inconsistency in the code, this parameter is processed in two different ways.

One part of the code uses it to check if the user is authorized to view the video, but this check is incomplete and can be tricked. Another, separate part of the code uses the same parameter to actually locate and serve the video file from the server’s storage. An attacker can craft a special request that “tells” the authorization check to look at a permitted, public video, while simultaneously “telling” the file-serving function to retrieve a different, private or paid video from elsewhere on the server. This type of flaw is known as a split-oracle or authorization bypass condition.

Impact and Risk

The impact of this vulnerability is direct and severe. Any WWBN AVideo instance that hosts subscription-based content, private user videos, or unlisted media is at risk. An attacker with no account or credentials can exploit this flaw to:

• Access paid content without payment.
• View private videos intended for specific users or groups.
• Potentially access other sensitive files on the server if their path is known.

This constitutes a clear breach of content access controls and can lead to financial loss for platforms relying on paywalls and a loss of trust from users expecting privacy. For context on how such vulnerabilities can lead to data exposure, you can review historical incidents in our breach reports.

Remediation and Mitigation

The vendor has released a fix in WWBN AVideo version 26.0. The primary and only complete remediation is to update your installation to this version immediately.

Action Steps:

1. Update Immediately: Upgrade your WWBN AVideo platform to version 26.0 or later without delay. This is the only way to fully resolve the vulnerability.
2. No Effective Workarounds: Due to the nature of the flaw being in the core streaming logic, there are no reliable configuration-based workarounds. Updating is essential.
3. Monitor for Exploitation: Review your platform access and video view logs for any suspicious activity, particularly unexpected access to video files from unauthenticated sessions.

Staying informed about such vulnerabilities is crucial for maintaining security. For the latest updates on threats and patches, follow our security news. If you are running an older version of AVideo, treat this update as a high-priority task to protect your content and your users.