WWBN AVideo RCE (CVE-2026-33478)

Overview

A critical security vulnerability, tracked as CVE-2026-33478, has been discovered in the WWBN AVideo open-source video platform. This flaw allows an attacker with no prior access or credentials to completely compromise an affected server. The vulnerability resides in the platform’s CloneSite plugin and is present in all versions up to and including 26.0.

Vulnerability Details

The attack chain involves three separate flaws in the CloneSite plugin that, when combined, grant an attacker full control. First, an unauthenticated attacker can access the clones.json.php endpoint to retrieve secret clone keys. Second, using these keys, the attacker can trigger a full database dump via the cloneServer.json.php endpoint. This dump contains administrator password hashes, which are stored using the weak MD5 algorithm and can be cracked quickly.

With a cracked admin password, the attacker gains administrative access to the AVideo platform. Finally, they can exploit an operating system command injection vulnerability within the cloneClient.json.php script. This flaw allows them to inject malicious commands into an rsync command, leading to the execution of arbitrary system commands on the underlying server with the privileges of the web server process.

Impact

The impact of this vulnerability is severe (CVSS score: 10.0). An unauthenticated remote attacker can achieve remote code execution, potentially leading to:

• Full compromise of the AVideo server and its data.
• Theft of sensitive user information and video content.
• Use of the server as a foothold for further attacks within the network.
• Complete system takeover, including data deletion or ransomware deployment.

This level of access could result in significant data breaches. Organizations can review past incidents and their causes in our breach reports section.

Remediation and Mitigation

Immediate action is required to secure affected systems.

1. Patch: The primary fix is to update to a patched version of WWBN AVideo released after commit c85d076375fab095a14170df7ddb27058134d38c. Apply this patch immediately.
2. Mitigation: If immediate patching is not possible, disable the CloneSite plugin entirely as a critical temporary workaround. This will break the plugin’s functionality but will block all exploitation paths.
3. Review: Administrators of affected systems should assume compromise. Review server logs for suspicious activity, audit user accounts, and monitor for unauthorized file changes or processes. Stay informed on emerging threats through our security news portal.

Do not rely on changing admin passwords alone as a fix, as the initial attack vector does not require authentication. The chain of vulnerabilities must be broken by applying the official patch or disabling the vulnerable component.