CVE-2026-33763: AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle

March 26, 2026 (updated March 27, 2026)

The get_api_video_password_is_correct API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean passwordIsCorrect field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135
github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92
github.com/advisories/GHSA-8prq-2jr2-cm92
nvd.nist.gov/vuln/detail/CVE-2026-33763

Code Behaviors & Features

Detect and mitigate CVE-2026-33763 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →