PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33684 WWBN CVE debrief

A vulnerability in AVideo allows for privilege escalation through unguarded permission parameters in the signUp API. This issue has been fixed in version 29.0. The vulnerability is caused by the set_api_signUp method in the API plugin accepting emailVerified, canUpload, canStream, and canCreateMeet parameters from user-supplied input and applying them to newly created accounts without verifying that the request was authenticated with a valid APISecret. This allows any user who can solve a CAPTCHA to self-grant elevated permissions during account registration.

Vendor
WWBN
Product
AVideo
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-15
Original CVE updated
2026-07-16
Advisory published
2026-07-15
Advisory updated
2026-07-16

Who should care

Users of AVideo versions prior to 29.0 should apply the patch to prevent privilege escalation. This includes administrators and security teams responsible for managing AVideo deployments.

Technical summary

The set_api_signUp method in the API plugin accepts emailVerified, canUpload, canStream, and canCreateMeet parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid APISecret. This allows any user who can solve a CAPTCHA to self-grant elevated permissions during account registration. The vulnerability affects AVideo versions prior to 29.0.

Defensive priority

Medium

Recommended defensive actions

  • Apply the patch to upgrade AVideo to version 29.0 or later
  • Restrict access to the signUp API to authenticated users with a valid APISecret
  • Monitor for suspicious activity, such as unexpected privilege escalation
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-15T21:16:36.323Z and was last modified on 2026-07-16T14:16:50.530Z. The NVD entry is currently Deferred. This information is based on the CVE record and NVD entry. Defenders should verify the affected scope and severity with the vendor and apply the patch to prevent privilege escalation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T21:16:36.323Z and has not been modified since then. The NVD entry is currently Deferred.