CVE-2026-33719: AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment

March 25, 2026

The CDN plugin endpoints plugin/CDN/status.json.php and plugin/CDN/disable.json.php use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured (the default state), the key validation check is completely bypassed, allowing any unauthenticated attacker to modify the full CDN configuration — including CDN URLs, storage credentials, and the authentication key itself — via mass-assignment through the par request parameter.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/adeff0a31ba04a56f411eef256139fd7ed7d4310
github.com/WWBN/AVideo/security/advisories/GHSA-r64r-883r-wcwh
github.com/advisories/GHSA-r64r-883r-wcwh
nvd.nist.gov/vuln/detail/CVE-2026-33719

Code Behaviors & Features

Detect and mitigate CVE-2026-33719 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →