CVE-2026-33297: AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php

March 19, 2026

The setPassword.json.php endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero before being stored. This means that regardless of the intended password, the stored channel password becomes 0, which any visitor can trivially guess to bypass channel-level access control.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-6547-8hrg-c55m
github.com/advisories/GHSA-6547-8hrg-c55m
nvd.nist.gov/vuln/detail/CVE-2026-33297

Code Behaviors & Features

Detect and mitigate CVE-2026-33297 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →