Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch.
Published: 2026-03-23
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

A flaw in the open‑source video platform allows a user with the Videos Moderator role to pursue actions beyond the documented permissions. The root cause is a mismatch in the authorization checks used for editing and deletion: the executor of an ownership transfer is incorrectly gated by a moderation check, while the deletion endpoint only verifies ownership, creating an asymmetric boundary exploitable through a two‑step transfer‑then‑delete process. This permits a moderator to steal ownership of any video and subsequently delete it, effectively bypassing the intended access controls and leading to arbitrary content loss. The weakness is identified as a role‑confusion vulnerability (CWE‑863).

Affected Systems

This vulnerability affects all versions of WWBN AVideo up to and including 26.0. Moderators with the Videos Moderator permission are granted unintended authority over any video in the system, regardless of ownership.

Risk and Exploitability

The CVSS score of 7.6 classifies the flaw as high severity. The EPSS score of less than 1 % indicates that exploit activity is currently uncommon, and the vulnerability does not appear in the CISA KEV catalog. A likely attack vector requires an authenticated user with moderator privileges to exploit the missing authorization check, transfer video ownership to themselves, and then delete the video in a two‑step chain. While the exploitation probability remains low, the potential for arbitrary video deletion justifies swift action to mitigate risk.

Generated by OpenCVE AI on March 25, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the fix contained in commit 838e16818c793779406ecbf34ebaeba9830e33f8 or upgrade to a version of AVideo newer than 26.0.
  • If an upgrade is not immediately possible, review and tighten the Permissions::canModerateVideos() gate to restrict ownership transfer and deletion to video owners only, and remove or disable the Videos Moderator role for all users.
  • Verify that no other user accounts possess moderator privileges and monitor audit logs for unauthorized ownership or deletion activity.

Generated by OpenCVE AI on March 25, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8x77-f38v-4m5j AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion
History

Wed, 25 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch.
Title AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T14:10:38.572Z

Reserved: 2026-03-23T15:23:42.217Z

Link: CVE-2026-33650

cve-icon Vulnrichment

Updated: 2026-03-24T14:10:30.503Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T19:16:41.223

Modified: 2026-03-25T18:00:14.167

Link: CVE-2026-33650

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:37:14Z

Weaknesses