CVE-2026-33650

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch.

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/WWBN/AVideo/commit/838e16818c793779406ecbf34ebaeba9830e33f8	Patch
https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j	Exploit Vendor Advisory
https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

History

25 Mar 2026, 18:00

Type	Values Removed	Values Added
CPE		cpe:2.3:a:wwbn:avideo::::::::
Summary		(es) WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, un usuario con el permiso 'Moderador de Videos' puede escalar privilegios para realizar operaciones completas de gestión de videos — incluyendo la transferencia de propiedad y la eliminación de cualquier video — a pesar de que el permiso está documentado como que solo permite cambios en la publicidad de videos (Activo, Inactivo, No listado). La causa raíz es que `Permissions::canModerateVideos()` se utiliza como una puerta de autorización para la edición completa de videos en `videoAddNew.json.php`, mientras que `videoDelete.json.php` solo verifica la propiedad, creando un límite de autorización asimétrico explotable a través de una cadena de dos pasos de transferencia de propiedad y luego eliminación. El commit 838e16818c793779406ecbf34ebaeba9830e33f7 contiene un parche.
First Time		Wwbn Wwbn avideo
References	~~() https://github.com/WWBN/AVideo/commit/838e16818c793779406ecbf34ebaeba9830e33f8 -~~	() https://github.com/WWBN/AVideo/commit/838e16818c793779406ecbf34ebaeba9830e33f8 - Patch
References	~~() https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j -~~	() https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j - Exploit, Vendor Advisory

24 Mar 2026, 15:16

Type	Values Removed	Values Added
References	~~() https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j -~~	() https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j -

23 Mar 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-23 19:16

Updated : 2026-03-25 18:00

NVD link : CVE-2026-33650

Mitre link : CVE-2026-33650

CVE.ORG link : CVE-2026-33650

JSON object : View

Products Affected

wwbn

avideo

CWE

CWE-863

Incorrect Authorization

7.6 /10