Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords. Commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 contains a patch.
Published: 2026-03-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated boolean oracle enabling brute‑force video password discovery
Action: Apply Patch
AI Analysis

Impact

The vulnerability exists in the API endpoint get_api_video_password_is_correct, which exposes a boolean password correctness response without requiring authentication or rate limiting. Because the response is deterministic, an attacker can iterate candidate passwords and determine the correct password for any protected video manually. This leads to unauthorized disclosure of video content, violating confidentiality, and enabling further attacks such as phishing or content theft. The weakness is a classic authentication failure (CWE‑307).

Affected Systems

The flaw affects the WWBN AVideo open‑source video platform. Versions up to and including 26.0 contain the vulnerable endpoint. Upgrading to a later version or applying the patch removes the oracle.

Risk and Exploitability

CVSS assessment of 5.3 indicates moderate severity. The EPSS score of less than 1 % reflects a low likelihood of widespread exploitation at present, and the vulnerability is not listed in CISA’s KEV. Attackers can exploit the path by issuing unauthenticated HTTP requests to the vulnerable endpoint until the correct password is discovered. The lack of rate limiting means that the attack can be automated with minimal effort, and a successful compromise would grant full access to any protected video. Once patched, the vector is closed and the risk is returned to a baseline level.

Generated by OpenCVE AI on March 31, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 to the AVideo codebase.
  • Upgrade AVideo to a version released after the patch (e.g., 26.1 or later).
  • If an immediate upgrade is not possible, temporarily disable or restrict access to the get_api_video_password_is_correct endpoint and implement rate limiting or authentication.
  • Verify in the application configuration that no unauthenticated calls can reach the password‑verification API.
  • Monitor server logs for repeated validation requests and block IPs exhibiting brute‑force patterns.

Generated by OpenCVE AI on March 31, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8prq-2jr2-cm92 AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle
History

Tue, 31 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Mon, 30 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 27 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords. Commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 contains a patch.
Title AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T12:06:27.809Z

Reserved: 2026-03-23T18:30:14.126Z

Link: CVE-2026-33763

cve-icon Vulnrichment

Updated: 2026-03-30T12:06:24.463Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T15:16:58.390

Modified: 2026-03-31T18:44:43.017

Link: CVE-2026-33763

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:01:12Z

Weaknesses