PatchSiren cyber security CVE debrief
CVE-2026-33692 WWBN CVE debrief
AVideo versions prior to 29.0 expose .env files to unauthenticated users through the official Docker compose configuration. The official docker-compose.yml mounts the entire project root directory as the Apache document root, causing the .env file — which contains database credentials, admin passwords, and infrastructure configuration — to be served as a static file at /.env. This vulnerability allows for direct database access, admin panel takeover, and further lateral movement within the Docker network. Users of AVideo versions prior to 29.0, especially those using the official Docker compose configuration, should be aware of this vulnerability and take immediate action to protect their systems.
- Vendor
- WWBN
- Product
- AVideo
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of AVideo versions prior to 29.0, especially those using the official Docker compose configuration, should be aware of this vulnerability and take immediate action to protect their systems. This includes updating AVideo to version 29.0 or later, reviewing and updating Docker compose configuration to prevent exposure of sensitive files, and implementing additional security measures to protect against unauthorized access.
Technical summary
The vulnerability exists in AVideo versions prior to 29.0 due to the official docker-compose.yml mounting the entire project root directory as the Apache document root. This causes the .env file, which contains sensitive information such as database credentials, admin passwords, and infrastructure configuration, to be served as a static file at /.env. No .htaccess rule or Apache configuration blocks access to dotfiles, allowing unauthenticated users to access sensitive information. Exploitation enables direct database access, admin panel takeover, and further lateral movement within the Docker network.
Defensive priority
High
Recommended defensive actions
- Update AVideo to version 29.0 or later
- Review and update Docker compose configuration to prevent exposure of sensitive files
- Implement additional security measures to protect against unauthorized access
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-16T21:17:20.183Z and has not been modified since then. The NVD entry is currently 7.5 HIGH. This information is based on the official CVE record and NVD detail. The official docker-compose.yml file mounts the entire project root directory as the Apache document root, causing the .env file to be served as a static file at /.env. No .htaccess rule or Apache configuration blocks access to dotfiles. Exploitation enables direct database access, admin panel takeover, and further lateral movement within the Docker network.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T21:17:20.183Z and has not been modified since then.