CVE-2026-33719: Unauthenticated CDN Configuration Takeover in WWBN AVideo

WWBN AVideo is an open-source video hosting platform that supports distributed content delivery via a dedicated CDN plugin. This plugin allows edge nodes to report their status and receive configuration updates from the central server. The communication relies on specific API endpoints, primarily plugin/CDN/status.json.php and plugin/CDN/disable.json.php.

The vulnerability, identified as CWE-306 (Missing Authentication for Critical Function), exists in how these endpoints validate incoming requests. The authentication mechanism requires edge nodes to present a pre-configured key. However, the implementation contains a critical logic flaw regarding the default state of this key.

When combined with an unrestricted mass-assignment vulnerability in the same code path, this authentication bypass allows an attacker to inject arbitrary configuration values. The flaw results in a CVSS score of 8.6, reflecting the high integrity impact and low attack complexity. Exploitation requires network access to the target instance but demands no privileges or user interaction.

The root cause of this vulnerability lies in the intersection of improper PHP type evaluation and insecure object property assignment. The authentication validation sequence relies on checking the configured key against the provided key using the empty() function. By default, the CDN plugin initializes its authentication key as an empty string.

In PHP, an empty string evaluates to false when processed by empty(). The original code validates incoming keys using a condition conceptually similar to if (!empty($obj->key)). When the administrator has not explicitly set a custom key, the plugin's stored key remains empty. Consequently, the check is completely bypassed, and the application assumes the incoming request is authorized regardless of the key provided in the payload.

Once the authentication check is bypassed, the code processes the par request parameter. The application iterates over this array using a foreach loop and dynamically assigns each key-value pair directly to the plugin's configuration object. This unrestricted mass-assignment vector enables an attacker to define or overwrite any internal variable, bypassing intended access controls and application logic constraints.

The original implementation of the CDN plugin endpoints processed incoming configuration requests without restricting the modifiable properties. The vulnerable code pattern directly iterates over user input and assigns it to the configuration object.

// Vulnerable Implementation (Conceptual)
if (!empty($obj->key)) {
    // Authentication validation logic
}
 
// Unrestricted Mass-Assignment
foreach ($_REQUEST['par'] as $key => $value) {
    $obj->{$key} = $value;
}

The patch introduced in commit adeff0a31ba04a56f411eef256139fd7ed7d4310 addresses both the authentication bypass and the mass-assignment vulnerability. The updated code enforces strict, constant-time comparison for the authentication key and mandates that a key must be configured before the endpoints accept any state changes.

// Patched Implementation (Conceptual)
if (empty($obj->key) || !hash_equals($obj->key, $_REQUEST['key'])) {
    die("Unauthorized");
}
 
// Whitelisted Assignment
$allowedPars = ['CDN', 'CDN_S3', 'CDN_B2', 'CDN_FTP', 'CDN_Live', 'CDN_YPTStorage', 'CDN_LiveServers'];
foreach ($_REQUEST['par'] as $key => $value) {
    if (in_array($key, $allowedPars, true)) {
        $obj->{$key} = $value;
    }
}

By introducing the $allowedPars array, the developers restricted configuration updates to a defined set of safe properties. This prevents attackers from modifying sensitive configuration fields, such as the authentication key itself or administrative credentials, even if they possess a valid key.

Exploiting this vulnerability requires sending a specially crafted HTTP POST request to the status.json.php endpoint. The attacker does not need prior authentication. The only prerequisite is that the CDN plugin is enabled on the target instance and the administrator has not configured a custom authentication key.

The attacker constructs a request containing an arbitrary key parameter to satisfy the basic input requirements. The payload's effectiveness stems from the par parameter, which is formatted as an array. The attacker specifies the configuration properties they wish to overwrite as keys within this array, and the malicious payloads as the corresponding values.

POST /plugin/CDN/status.json.php HTTP/1.1
Host: target-avideo.com
Content-Type: application/x-www-form-urlencoded
 
key=any_string&par[CDN]=https://malicious-cdn.com&par[key]=attacker_controlled_key

Upon processing this request, the application bypasses the authentication check due to the empty default key. The mass-assignment loop then processes the par array. It overwrites the primary CDN URL with the attacker's infrastructure and replaces the empty authentication key with attacker_controlled_key. This action simultaneously implements the malicious configuration and establishes persistence by locking out unauthenticated modifications.

The primary impact of this vulnerability is the complete compromise of the platform's content delivery architecture. By modifying the CDN URL parameter, an attacker forces the AVideo instance to serve all media assets through infrastructure they control. This facilitates traffic interception, enabling the attacker to harvest client IP addresses, serve malicious payloads disguised as video content, or perform phishing attacks against the platform's user base.

The mass-assignment flaw introduces significant secondary risks regarding credential exposure. AVideo instances utilizing external storage solutions require the CDN plugin to manage credentials for Amazon S3, Backblaze B2, or FTP servers. An attacker can overwrite these credential fields or manipulate the application state to extract the existing secrets, leading to a broader compromise of the organization's cloud infrastructure.

Furthermore, the attacker establishes persistence by utilizing the mass-assignment vector to populate the previously empty authentication key. By defining a custom key, the attacker transitions the system out of the vulnerable default state, ensuring subsequent unauthenticated requests fail. This locks out legitimate administrators from updating the CDN configuration via the API until the database records are manually corrected.

The definitive remediation for CVE-2026-33719 is upgrading the WWBN AVideo installation to a version greater than 26.0. The official patch fundamentally alters the validation logic by introducing constant-time key comparison via hash_equals() and implementing a strict whitelist for modifiable configuration properties. Administrators must verify the update successfully applied the changes from commit adeff0a31ba04a56f411eef256139fd7ed7d4310.

In environments where immediate patching is not feasible, administrators can mitigate the vulnerability by manually configuring a strong, high-entropy authentication key within the CDN plugin settings. Populating this value eliminates the empty string condition, effectively neutralizing the authentication bypass logic flaw. This action must be performed immediately upon enabling the CDN plugin.

Security teams must review database records to identify potential post-exploitation activity. The audit should focus on unauthorized modifications to the CDN base URLs and storage credential properties within the plugin configuration tables. Any unexpected values or unfamiliar authentication keys indicate a successful compromise, necessitating an immediate credential rotation for all associated third-party storage services.