CVE-2026-33716: Critical Authentication Bypass in WWBN AVideo Live Stream Control

CVE-2026-33716, also tracked as GHSA-9hv9-gvwm-95f2, is a critical vulnerability affecting WWBN AVideo, an open-source video hosting and live streaming platform. The flaw specifically resides within the standalone live stream control endpoint, a component designed to interface directly with backend streaming modules. Versions 26.0 and earlier expose this endpoint without proper input validation, permitting a complete bypass of the intended authentication mechanisms.

The vulnerable component, plugin/Live/standAloneFiles/control.json.php, manages critical RTMP stream operations in conjunction with the NGINX RTMP module. Authorized users utilize this endpoint to manage live broadcasts, drop misbehaving publishers, and control stream recording functions. To verify the authorization of these actions, the script requests token validation from a central streamer server via an outbound HTTP request.

The authentication bypass manifests due to improper handling of the streamerURL HTTP parameter. The application dynamically constructs the token verification URL using user-supplied input. An unauthenticated remote attacker can exploit this CWE-287 (Improper Authentication) condition by pointing the verification routine to an external, attacker-controlled server. This effectively neutralizes the token check, yielding administrative control over live streams to the attacker.

The root cause of CVE-2026-33716 is the direct incorporation of unvalidated user input into a server-side request execution path. The script control.json.php processes incoming HTTP requests (GET or POST) and attempts to extract a streamerURL parameter. If this parameter is present, the script assigns it to the internal $streamerURL variable, effectively overriding the platform's trusted configuration.

Once the $streamerURL is defined, the application constructs an outbound validation request: $verifyTokenURL = "{$streamerURL}verifyToken?token={$_REQUEST['token']}";. The application then executes a server-side request using the PHP file_get_contents() function to query this constructed URL. The logic assumes that a positive response from this endpoint confirms the validity of the provided token.

Because the attacker controls the hostname and path of the validation endpoint, they govern the response evaluated by the application. The AVideo server executes the HTTP request to the designated infrastructure, parses the returned JSON payload, and grants access if the payload matches the expected success format ({"error": false}). The application fails to enforce an allowlist or independently verify the authority of the streamerURL origin.

A secondary security weakness exists within the PHP stream context ($arrContextOptions) utilized for the file_get_contents() call. The configuration explicitly disables SSL/TLS certificate validation by setting verify_peer and verify_peer_name to false. While the primary vulnerability relies on arbitrary URL injection, this secondary weakness exposes legitimate token verification requests to Man-in-the-Middle (MitM) attacks, allowing network adversaries to intercept and spoof validation responses even when a legitimate streamerURL is used.

Analysis of the vulnerable plugin/Live/standAloneFiles/control.json.php script reveals the direct parameter assignment responsible for the vulnerability. Prior to the patch, the code contained a conditional block that explicitly allowed the HTTP request parameters to define the streamer verification endpoint.

// Vulnerable Code Pattern
if (!empty($_REQUEST['streamerURL'])) {
    $streamerURL = $_REQUEST['streamerURL'];
}
// ...
$verifyTokenURL = "{$streamerURL}verifyToken?token={$_REQUEST['token']}";
$response = file_get_contents($verifyTokenURL, false, $arrContextOptions);

The remediation, introduced in commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128, addresses the vulnerability by entirely removing the user-controlled override. The patched version strictly relies on the internally configured streamer URL, neutralizing the attacker's ability to inject a malicious validation endpoint.

// Patched Code Pattern
// The $_REQUEST['streamerURL'] override block is completely removed.
$verifyTokenURL = "{$global['webSiteRootURL']}plugin/Live/verifyToken.json.php?token=" . urlencode($_REQUEST['token']);
$response = file_get_contents($verifyTokenURL, false, $arrContextOptions);

The fix commit also implements critical input sanitization on the name parameter. The script utilizes the name parameter to query the filesystem for active stream recordings using the glob() function. The patch introduces a regular expression (/[^a-zA-Z0-9_-]/) to strip arbitrary characters, mitigating secondary path traversal risks associated with the is_recording command.

Exploiting CVE-2026-33716 requires no prior authentication, and the attack complexity is low. The attacker only requires network line-of-sight to the public-facing AVideo application. The first phase of the exploitation sequence involves establishing a rudimentary web server under the attacker's control. This server is configured to unconditionally return the static JSON payload {"error": false} for any incoming HTTP request.

With the malicious infrastructure active, the attacker transmits a crafted HTTP POST or GET request to the target's control.json.php endpoint. The payload specifies the target command (e.g., drop_publisher), the specific stream identifier via the name parameter, and the streamerURL parameter pointing to the attacker's web server.

Upon receiving the request, the AVideo application initiates a backend HTTP connection to the attacker's server to validate the token. The attacker's server replies with the expected success payload. The AVideo application parses this response, successfully validates the non-existent token, and executes the requested administrative command against the NGINX RTMP module, severing the target stream.

The exploitation of CVE-2026-33716 results in a high-severity compromise of application integrity and availability. An unauthenticated attacker gains arbitrary administrative control over all active live stream operations managed by the vulnerable endpoint. The vulnerability carries a CVSS v3.1 base score of 9.4, reflecting the critical nature of unauthenticated, network-exploitable security bypasses.

The primary consequence is the disruption of live broadcasting services. Attackers can repeatedly execute the drop_publisher command, forcefully disconnecting legitimate content creators from the RTMP server. This constitutes a highly effective, application-layer Denial of Service (DoS) attack against the platform's core streaming functionality.

Furthermore, the attacker can manipulate recording states via the control.json.php endpoint. They possess the capability to initiate unauthorized server-side recordings of live streams or terminate active recordings prematurely. While the confidentiality impact is assessed as low (primarily limited to probing for the existence of active streams), the unchecked administrative control severely degrades trust in the platform's operational stability.

The definitive remediation for CVE-2026-33716 is upgrading the WWBN AVideo installation to a version greater than 26.0, which incorporates commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128. This update removes the vulnerable streamerURL override logic and enforces proper internal routing for token verification. Administrators must ensure the deployment successfully applies the changes to plugin/Live/standAloneFiles/control.json.php.

For environments where immediate patching is not feasible, network-level access controls provide a robust secondary mitigation layer. The plugin/Live/standAloneFiles/ directory is primarily designed for internal interactions between the web application and the streaming backend. Administrators should configure the web server (e.g., Apache or NGINX) to restrict access to this specific directory, permitting inbound requests strictly from the localhost (127.0.0.1) or explicitly trusted internal infrastructure IP addresses.

Additionally, security teams can deploy Web Application Firewall (WAF) rules to detect and block exploitation attempts. A custom WAF rule should inspect all HTTP GET and POST requests directed at /plugin/Live/standAloneFiles/control.json.php. If the request body or query string contains the streamerURL parameter, the WAF must block the transaction and generate a high-severity security alert, as legitimate application behavior no longer relies on this client-supplied parameter.