PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33692 WWBN CVE debrief

AVideo versions prior to 29.0 expose .env files to unauthenticated users through the official Docker compose configuration. The official docker-compose.yml mounts the entire project root directory as the Apache document root, causing the .env file — which contains database credentials, admin passwords, and infrastructure configuration — to be served as a static file at /.env. This vulnerability allows for direct database access, admin panel takeover, and further lateral movement within the Docker network. Users of AVideo versions prior to 29.0, especially those using the official Docker compose configuration, should be aware of this vulnerability and take immediate action to protect their systems.

Vendor
WWBN
Product
AVideo
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of AVideo versions prior to 29.0, especially those using the official Docker compose configuration, should be aware of this vulnerability and take immediate action to protect their systems. This includes updating AVideo to version 29.0 or later, reviewing and updating Docker compose configuration to prevent exposure of sensitive files, and implementing additional security measures to protect against unauthorized access.

Technical summary

The vulnerability exists in AVideo versions prior to 29.0 due to the official docker-compose.yml mounting the entire project root directory as the Apache document root. This causes the .env file, which contains sensitive information such as database credentials, admin passwords, and infrastructure configuration, to be served as a static file at /.env. No .htaccess rule or Apache configuration blocks access to dotfiles, allowing unauthenticated users to access sensitive information. Exploitation enables direct database access, admin panel takeover, and further lateral movement within the Docker network.

Defensive priority

High

Recommended defensive actions

  • Update AVideo to version 29.0 or later
  • Review and update Docker compose configuration to prevent exposure of sensitive files
  • Implement additional security measures to protect against unauthorized access
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-16T21:17:20.183Z and has not been modified since then. The NVD entry is currently 7.5 HIGH. This information is based on the official CVE record and NVD detail. The official docker-compose.yml file mounts the entire project root directory as the Apache document root, causing the .env file to be served as a static file at /.env. No .htaccess rule or Apache configuration blocks access to dotfiles. Exploitation enables direct database access, admin panel takeover, and further lateral movement within the Docker network.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T21:17:20.183Z and has not been modified since then.