Back to overview

CVE-2026-33684

MEDIUM Exploitation: PoC
5.3
CVSS 3.1
Description
WWBN AVideo is an open source video platform. Prior to version 29.0, Privilege Escalation is possible through unguarded permission parameters in signUp API, which allows any user who can solve a CAPTCHA to self-grant elevated permissions during account registration. The set_api_signUp method in the API plugin accepts emailVerified, canUpload, canStream, and canCreateMeet parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid APISecret. By self-granting account attributes, attackers can mark their own accounts as email-verified without owning the address (bypassing email-gated functionality) and award themselves upload, streaming, and meeting-creation permissions, circumventing administrator access controls that intentionally restrict these capabilities for new users. This issue has been fixed in version 29.0

Metadata

CVE ID
CVE-2026-33684
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-03-23 16:34 UTC
Published
2026-07-15 20:47 UTC
Last updated
2026-07-16 12:54 UTC
Primary CWE
CWE-862
CWE-862: Missing Authorization
Vendor / Product
WWBN / AVideo
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
WWBN AVideo < 29.0
Weakness (CWE)
CWESourceDescription
CWE-862 cna CWE-862: Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References (1)
Back to overview