๐Ÿ” CVE Alert

CVE-2026-33684

MEDIUM 5.3

AVideo's Privilege AVideo: Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions

CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th

WWBN AVideo is an open source video platform. Prior to version 29.0, Privilege Escalation is possible through unguarded permission parameters in signUp API, which allows any user who can solve a CAPTCHA to self-grant elevated permissions during account registration. The set_api_signUp method in the API plugin accepts emailVerified, canUpload, canStream, and canCreateMeet parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid APISecret. By self-granting account attributes, attackers can mark their own accounts as email-verified without owning the address (bypassing email-gated functionality) and award themselves upload, streaming, and meeting-creation permissions, circumventing administrator access controls that intentionally restrict these capabilities for new users. This issue has been fixed in version 29.0

CWE CWE-862
Vendor wwbn
Product avideo
Published Jul 15, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for wwbn avideo

Be the first to know when new medium vulnerabilities affecting wwbn avideo are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Affected Versions

WWBN / AVideo
< 29.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/WWBN/AVideo/security/advisories/GHSA-8j8m-p79x-g4jm