{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33650", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T15:23:42.217Z", "datePublished": "2026-03-23T18:28:13.324Z", "dateUpdated": "2026-03-24T14:10:38.572Z"}, "containers": {"cna": {"title": "AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j"}, {"name": "https://github.com/WWBN/AVideo/commit/838e16818c793779406ecbf34ebaeba9830e33f8", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/838e16818c793779406ecbf34ebaeba9830e33f8"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T18:28:13.324Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the \"Videos Moderator\" permission can escalate privileges to perform full video management operations \u2014 including ownership transfer and deletion of any video \u2014 despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch."}], "source": {"advisory": "GHSA-8x77-f38v-4m5j", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:10:34.673960Z", "id": "CVE-2026-33650", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:10:38.572Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33650", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T14:10:34.673960Z"}}}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:10:30.503Z"}}], "cna": {"title": "AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion", "source": {"advisory": "GHSA-8x77-f38v-4m5j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/838e16818c793779406ecbf34ebaeba9830e33f8", "name": "https://github.com/WWBN/AVideo/commit/838e16818c793779406ecbf34ebaeba9830e33f8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the \"Videos Moderator\" permission can escalate privileges to perform full video management operations \u2014 including ownership transfer and deletion of any video \u2014 despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T18:28:13.324Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33650", "state": "PUBLISHED", "dateUpdated": "2026-03-24T14:10:38.572Z", "dateReserved": "2026-03-23T15:23:42.217Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T18:28:13.324Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the \"Videos Moderator\" permission can escalate privileges to perform full video management operations \u2014 including ownership transfer and deletion of any video \u2014 despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, un usuario con el permiso 'Moderador de Videos' puede escalar privilegios para realizar operaciones completas de gesti\u00f3n de videos \u2014 incluyendo la transferencia de propiedad y la eliminaci\u00f3n de cualquier video \u2014 a pesar de que el permiso est\u00e1 documentado como que solo permite cambios en la publicidad de videos (Activo, Inactivo, No listado). La causa ra\u00edz es que `Permissions::canModerateVideos()` se utiliza como una puerta de autorizaci\u00f3n para la edici\u00f3n completa de videos en `videoAddNew.json.php`, mientras que `videoDelete.json.php` solo verifica la propiedad, creando un l\u00edmite de autorizaci\u00f3n asim\u00e9trico explotable a trav\u00e9s de una cadena de dos pasos de transferencia de propiedad y luego eliminaci\u00f3n. El commit 838e16818c793779406ecbf34ebaeba9830e33f7 contiene un parche."}], "id": "CVE-2026-33650", "lastModified": "2026-03-25T18:00:14.167", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T19:16:41.223", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/838e16818c793779406ecbf34ebaeba9830e33f8"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-25T20:31:57.111799+00:00", "value": {"mitigation_remediation": ["Apply the fix contained in commit 838e16818c793779406ecbf34ebaeba9830e33f8 or upgrade to a version of AVideo newer than 26.0.", "If an upgrade is not immediately possible, review and tighten the Permissions::canModerateVideos() gate to restrict ownership transfer and deletion to video owners only, and remove or disable the Videos Moderator role for all users.", "Verify that no other user accounts possess moderator privileges and monitor audit logs for unauthorized ownership or deletion activity."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "This vulnerability affects all versions of WWBN AVideo up to and including 26.0. Moderators with the Videos Moderator permission are granted unintended authority over any video in the system, regardless of ownership.", "description_and_impact": "A flaw in the open\u2011source video platform allows a user with the Videos Moderator role to pursue actions beyond the documented permissions. The root cause is a mismatch in the authorization checks used for editing and deletion: the executor of an ownership transfer is incorrectly gated by a moderation check, while the deletion endpoint only verifies ownership, creating an asymmetric boundary exploitable through a two\u2011step transfer\u2011then\u2011delete process. This permits a moderator to steal ownership of any video and subsequently delete it, effectively bypassing the intended access controls and leading to arbitrary content loss. The weakness is identified as a role\u2011confusion vulnerability (CWE\u2011863).", "risk_and_exploitability": "The CVSS score of 7.6 classifies the flaw as high severity. The EPSS score of less than 1\u202f% indicates that exploit activity is currently uncommon, and the vulnerability does not appear in the CISA KEV catalog. A likely attack vector requires an authenticated user with moderator privileges to exploit the missing authorization check, transfer video ownership to themselves, and then delete the video in a two\u2011step chain. While the exploitation probability remains low, the potential for arbitrary video deletion justifies swift action to mitigate risk."}}}}, "created": "2026-03-24T10:33:22.263653+00:00", "updated": "2026-03-25T20:37:14.595992+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}