CVE-2026-33684: AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions

June 22, 2026

The set_api_signUp method in the API plugin accepts emailVerified, canUpload, canStream, and canCreateMeet parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid APISecret. Any anonymous user who can solve a CAPTCHA can self-grant elevated permissions during account registration.

References

github.com/WWBN/AVideo/commit/061f242cba0e068cc1b461705fe839274b5038ff
github.com/WWBN/AVideo/security/advisories/GHSA-8j8m-p79x-g4jm
github.com/advisories/GHSA-8j8m-p79x-g4jm
nvd.nist.gov/vuln/detail/CVE-2026-33684

Code Behaviors & Features

Detect and mitigate CVE-2026-33684 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →