PHP RCE (CVE-2026-33297)

Overview

A critical security vulnerability has been identified in the WWBN AVideo open-source video platform. This flaw, tracked as CVE-2026-33297, allows an attacker to trivially bypass password protection on user channels, leading to a complete failure of intended access controls. The vulnerability is present in all versions prior to 26.0.

Vulnerability Details

In affected versions, a specific administrative function (setPassword.json.php in the CustomizeUser plugin) is designed to let administrators set a channel password for any user. However, a severe logic error exists in the code that processes the submitted password. When a password containing any non-numeric character (like letters or symbols) is set, the system incorrectly converts it to the integer zero (0) before storing it in the database.

Consequently, regardless of the complex password an administrator intends to set-such as “SecurePass123!”-the platform will store it simply as 0. This 0 password is then used to gate access to the password-protected video channel.

Impact

The impact of this vulnerability is severe and straightforward:

• Access Control Bypass: Any visitor to a password-protected channel can gain immediate access by entering 0 as the password.
• Data Exposure: This can lead to the unauthorized viewing of sensitive or private video content intended for restricted audiences.
• High Exploitability: Exploitation requires no advanced skills; it is a simple guess of a single character. This type of logic flaw is a common root cause in many data breach reports, which you can explore further at breach reports.

With a CVSS score of 9.1 (CRITICAL), this flaw represents an immediate and high-risk threat to the confidentiality of content on unpatched AVideo instances.

Remediation and Mitigation

The only complete solution is to update the software immediately.

1. Immediate Patching: Upgrade WWBN AVideo to version 26.0 or later. This version contains the necessary patch to correct the password handling logic. Always obtain software updates from the official project repository.
2. Post-Update Action: After applying the update, administrators should review and reset channel passwords for any users who had password protection enabled prior to the patch. This ensures the new, correct passwords are in effect.
3. Stay Informed: For ongoing updates on critical vulnerabilities like this one, follow trusted security news sources.

There is no effective workaround for this vulnerability. Upgrading to the patched version is the essential and urgent action required to secure your deployment.