WWBN AVideo is an open source video platform. Prior to version 29.0, Privilege Escalation is possible through unguarded permission parameters in signUp API, which allows any user who can solve a CAPTCHA to self-grant elevated permissions during account registration. The set_api_signUp method in the API plugin accepts emailVerified, canUpload, canStream, and canCreateMeet parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid APISecret. By self-granting account attributes, attackers can mark their own accounts as email-verified without owning the address (bypassing email-gated functionality) and award themselves upload, streaming, and meeting-creation permissions, circumventing administrator access controls that intentionally restrict these capabilities for new users. This issue has been fixed in version 29.0

Project Subscriptions

No data.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8j8m-p79x-g4jm AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 15 Jul 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 15 Jul 2026 21:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. Prior to version 29.0, Privilege Escalation is possible through unguarded permission parameters in signUp API, which allows any user who can solve a CAPTCHA to self-grant elevated permissions during account registration. The set_api_signUp method in the API plugin accepts emailVerified, canUpload, canStream, and canCreateMeet parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid APISecret. By self-granting account attributes, attackers can mark their own accounts as email-verified without owning the address (bypassing email-gated functionality) and award themselves upload, streaming, and meeting-creation permissions, circumventing administrator access controls that intentionally restrict these capabilities for new users. This issue has been fixed in version 29.0
Title AVideo's Privilege AVideo: Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-15T20:47:45.146Z

Reserved: 2026-03-23T16:34:59.931Z

Link: CVE-2026-33684

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-15T23:30:04Z

Weaknesses