CVE-2026-33764: AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions

March 26, 2026 (updated March 27, 2026)

The AI plugin’s save.json.php endpoint loads AI response objects using an attacker-controlled $_REQUEST['id'] parameter without validating that the AI response belongs to the specified video. An authenticated user with AI permissions can reference any AI response ID — including those generated for other users’ private videos — and apply the stolen AI-generated content (titles, descriptions, keywords, summaries, or full transcriptions) to their own video, effectively exfiltrating the information.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/aa2c46a806960a0006105df47765913394eec142
github.com/WWBN/AVideo/security/advisories/GHSA-g39v-qrj6-jxrh
github.com/advisories/GHSA-g39v-qrj6-jxrh
nvd.nist.gov/vuln/detail/CVE-2026-33764

Code Behaviors & Features

Detect and mitigate CVE-2026-33764 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →