WWBN AVideo SSRF Vulnerability (CVE-2026-33502)

Overview

A critical security vulnerability, tracked as CVE-2026-33502, has been discovered in the WWBN AVideo open-source video platform. This flaw allows any remote attacker, without needing to log in, to force the AVideo server to make unauthorized web requests to internal systems and services.

Vulnerability Details

The vulnerability is a Server-Side Request Forgery (SSRF) located in the plugin/Live/test.php file. In simple terms, this flaw lets an attacker trick the AVideo server into acting as a proxy. They can instruct the server to send HTTP requests to any URL, including those on the server’s own local network that are normally hidden from the internet.

This affects all versions of WWBN AVideo up to and including 26.0. The issue was addressed in commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3.

Potential Impact

The impact of this vulnerability is severe (CVSS score: 9.3). An attacker can exploit it to:

• Probe Internal Networks: Scan and interact with internal services (like databases, admin panels, or APIs) running on the same server or local network.
• Access Sensitive Data: Retrieve information from internal HTTP resources that should not be publicly accessible.
• Target Cloud Metadata: In cloud environments (like AWS, Azure, GCP), attackers can often reach instance metadata endpoints to steal cloud credentials, which can lead to a full cloud account compromise.
• This type of flaw is a common starting point for major data breaches. For analysis of past incidents, you can review public breach reports.

Remediation and Mitigation

Immediate action is required to secure affected systems.

1. Patch Immediately: The primary fix is to update your WWBN AVideo installation. Apply the patch from commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3. If you installed via a release package, upgrade to a version released after this commit. Always test updates in a staging environment first.
2. Temporary Mitigation: If immediate patching is not possible, restrict or block access to the vulnerable file plugin/Live/test.php at your web server (e.g., Apache .htaccess, Nginx location block) or Web Application Firewall (WAF) level. This is a stopgap measure, not a permanent solution.
3. Network Hardening: As a general security practice, ensure internal services are behind firewalls and use network segmentation to limit what a compromised web server can access.

Stay informed about critical vulnerabilities like this by following the latest security news. Organizations using WWBN AVideo should treat this as a high-priority update to prevent potential exploitation and network intrusion.