Description
WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to "password", which is automatically used to seed the admin account during installation, meaning any instance deployed without overriding SYSTEM_ADMIN_PASSWORD is immediately vulnerable to trivial administrative takeover. No compensating controls exist: there is no forced password change on first login, no complexity validation, no default-password detection, and the password is hashed with weak MD5. Full admin access enables user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management. The same insecure-default pattern extends to database credentials (avideo/avideo), compounding the risk. Exploitation depends on operators failing to change the default, a condition likely met in quick-start, demo, and automated deployments. This issue has been fixed in version 26.0.
Published: 2026-03-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Full administrative takeover, data exposure, and potential remote code execution
Action: Immediate patch
AI Analysis

Impact

The vulnerability stems from the Docker deployment artifacts that ship the administrator password as "password" and assign database credentials of avideo/avideo. The default credentials are automatically used to seed the admin account during installation, providing an obvious, trivial entry point for attackers. The weakness is a predictable default password (CWE‑1188) compounded by weak MD5 hashing, with no requirement for a password change on first login or any complexity enforcement. As a result, anyone who can reach the web interface of a newly deployed instance can obtain full administrative privileges, expose user data, modify content, and potentially execute code through file uploads or plugin management.

Affected Systems

The affected application is WWBN AVideo up to and including version 25.0. The default Docker configuration files (docker-compose.yml and env.example) contain the hard‑coded credentials. No other versions prior to 26.0 are known to contain this issue.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score of less than 1% suggests a low probability of exploitation, yet the impact if exploited is substantial. Attackers can log in simply by using the default credentials exposed in the container environment; no additional techniques are required. The lack of compensating controls and the availability of direct administrative access make the risk significant enough to warrant immediate remediation.

Generated by OpenCVE AI on March 23, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WWBN AVideo to version 26.0 or newer, where the default password issue is fixed.
  • If upgrading is not immediately possible, set a strong password in the SYSTEM_ADMIN_PASSWORD environment variable before starting the container.
  • Change the database credentials by configuring DATABASE_USER and DATABASE_PASSWORD to non‑default values.
  • Limit external access to the web interface with firewall rules or reverse‑proxy authentication to reduce the attack surface.

Generated by OpenCVE AI on March 23, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 20 Mar 2026 05:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to "password", which is automatically used to seed the admin account during installation, meaning any instance deployed without overriding SYSTEM_ADMIN_PASSWORD is immediately vulnerable to trivial administrative takeover. No compensating controls exist: there is no forced password change on first login, no complexity validation, no default-password detection, and the password is hashed with weak MD5. Full admin access enables user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management. The same insecure-default pattern extends to database credentials (avideo/avideo), compounding the risk. Exploitation depends on operators failing to change the default, a condition likely met in quick-start, demo, and automated deployments. This issue has been fixed in version 26.0.
Title WWBN AVideo has predictable default admin credentials in official Docker deployment path
Weaknesses CWE-1188
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T01:51:03.827Z

Reserved: 2026-03-17T18:10:50.210Z

Link: CVE-2026-33037

cve-icon Vulnrichment

Updated: 2026-03-24T01:50:59.503Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T06:16:11.817

Modified: 2026-03-23T16:25:29.030

Link: CVE-2026-33037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:24Z

Weaknesses