CVE-2026-33650

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch.

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/WWBN/AVideo/commit/838e16818c793779406ecbf34ebaeba9830e33f8	Patch
https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j	Exploit Vendor Advisory
https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-23 19:16

Updated : 2026-03-25 18:00

NVD link : CVE-2026-33650

Mitre link : CVE-2026-33650

CVE.ORG link : CVE-2026-33650

JSON object : View

Products Affected

wwbn

avideo

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-33650", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.8}]}, "published": "2026-03-23T19:16:41.223", "references": [{"url": "https://github.com/WWBN/AVideo/commit/838e16818c793779406ecbf34ebaeba9830e33f8", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the \"Videos Moderator\" permission can escalate privileges to perform full video management operations \u2014 including ownership transfer and deletion of any video \u2014 despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, un usuario con el permiso 'Moderador de Videos' puede escalar privilegios para realizar operaciones completas de gesti\u00f3n de videos \u2014 incluyendo la transferencia de propiedad y la eliminaci\u00f3n de cualquier video \u2014 a pesar de que el permiso est\u00e1 documentado como que solo permite cambios en la publicidad de videos (Activo, Inactivo, No listado). La causa ra\u00edz es que `Permissions::canModerateVideos()` se utiliza como una puerta de autorizaci\u00f3n para la edici\u00f3n completa de videos en `videoAddNew.json.php`, mientras que `videoDelete.json.php` solo verifica la propiedad, creando un l\u00edmite de autorizaci\u00f3n asim\u00e9trico explotable a trav\u00e9s de una cadena de dos pasos de transferencia de propiedad y luego eliminaci\u00f3n. El commit 838e16818c793779406ecbf34ebaeba9830e33f7 contiene un parche."}], "lastModified": "2026-03-25T18:00:14.167", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}