CVE-2026-33501: AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin

March 20, 2026

The endpoint plugin/Permissions/View/Users_groups_permissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (add.json.php, delete.json.php, index.php) properly require User::isAdmin(), indicating this is an oversight.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-96qp-8cmq-jvq8
github.com/advisories/GHSA-96qp-8cmq-jvq8
nvd.nist.gov/vuln/detail/CVE-2026-33501

Code Behaviors & Features

Detect and mitigate CVE-2026-33501 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →