CVE-2026-33692: AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration

Attacker: Unauthenticated (any remote user)
Victim: AVideo server and database
Specific damage: Attacker obtains database credentials ( DB_MYSQL_USER , DB_MYSQL_PASSWORD ), admin password ( SYSTEM_ADMIN_PASSWORD ), and internal network topology ( NETWORK_SUBNET ). This enables direct database access, admin panel takeover, and further lateral movement within the Docker network.

June 22, 2026

References

Code Behaviors & Features

Detect and mitigate CVE-2026-33692 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →