Skip to main content

AVideo CVE-2026-33692

HIGH
Improper Input Validation (CWE-20)
2026-06-22 https://github.com/WWBN/AVideo GHSA-wf69-r4mx-43rr
Apache Docker Information Disclosure
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated remote HTTP GET against default Docker deployment retrieves secrets - AV:N/AC:L/PR:N/UI:N; high confidentiality loss only, no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 22, 2026 - 20:16 vuln.today
Analysis Generated
Jun 22, 2026 - 20:16 vuln.today
CVE Published
Jun 22, 2026 - 19:54 github-advisory
HIGH 7.5

DescriptionGitHub Advisory

Vulnerability Details

CWE: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory

The official docker-compose.yml (line 61) mounts the entire project root directory as the Apache document root:

yaml
volumes:
  - "./:/var/www/html/AVideo"

This causes the .env file - which contains database credentials, admin passwords, and infrastructure configuration - to be served as a static file at /.env. No .htaccess rule or Apache configuration blocks access to dotfiles.

Exposed Information

An unauthenticated request to GET /.env returns:

DB_MYSQL_HOST=database
DB_MYSQL_USER=avideo
DB_MYSQL_PASSWORD=avideo
SYSTEM_ADMIN_PASSWORD=admin123
TLS_CERTIFICATE_FILE=/etc/apache2/ssl/localhost.crt
TLS_CERTIFICATE_KEY=/etc/apache2/ssl/localhost.key
NETWORK_SUBNET=172.30.0.0/16

Steps to Reproduce

Prerequisites

  • AVideo deployed using the official docker-compose.yml
  • No modifications to the default configuration

Steps

  1. Deploy AVideo using docker compose up -d
  2. Send: curl http://target/.env
  3. The full .env file contents are returned, including database credentials and admin password

Impact

  • Attacker: Unauthenticated (any remote user)
  • Victim: AVideo server and database
  • Specific damage: Attacker obtains database credentials (DB_MYSQL_USER, DB_MYSQL_PASSWORD), admin password (SYSTEM_ADMIN_PASSWORD), and internal network topology (NETWORK_SUBNET). This enables direct database access, admin panel takeover, and further lateral movement within the Docker network.

Proposed Fix

Add a .htaccess rule to block access to dotfiles:

apache
# Block access to hidden files (.env, .git, etc.)
<FilesMatch "^\.">
    Order Allow,Deny
    Deny from all
</FilesMatch>

Or configure Apache to deny dotfile access in the virtual host configuration.

Articles & Coverage 1

News 5 New Docker Vulnerabilities - 1 Critical, 4 High Severity Jun 23, 2026

AnalysisAI

Unauthenticated information disclosure in WWBN AVideo (versions prior to 29.0) deployed via the official docker-compose.yml exposes the application's .env file at /.env, leaking database credentials, the SYSTEM_ADMIN_PASSWORD, and internal Docker network topology. The default Apache document root mount lacks any rule blocking dotfile access, so a single curl request to /.env returns plaintext secrets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed AVideo host
Delivery
Send GET /.env over HTTP
Exploit
Receive plaintext secrets
Execution
Authenticate to admin panel with SYSTEM_ADMIN_PASSWORD
Persist
Connect to MySQL with leaked DB credentials
Impact
Exfiltrate user data and pivot within Docker subnet
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target AVideo instance was deployed using the project's official docker-compose.yml (which bind-mounts ./ to /var/www/html/AVideo) with default Apache configuration and an unmodified pre-29.0 .htaccess, and that the Apache HTTP(S) port is reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High) accurately reflects trivial unauthenticated remote retrieval of confidential data with no integrity or availability impact, and the description fully supports it: a single GET /.env returns secrets. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An opportunistic scanner probes internet-exposed AVideo instances with GET /.env and immediately receives plaintext database credentials, the system admin password (default admin123 in the example deployment), and the internal Docker subnet. The attacker logs into the AVideo admin panel with the recovered SYSTEM_ADMIN_PASSWORD and, if the database port is reachable, connects directly to MySQL using DB_MYSQL_USER / DB_MYSQL_PASSWORD to exfiltrate or modify user data. …
Remediation Vendor-released patch: upgrade to AVideo 29.0 or later, which adds a RewriteRule in .htaccess blocking any path component beginning with a dot (except /.well-known/) per commit 7f418de1a95ab87bb8c8c3eb3702d71c351e098d. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all WWBN AVideo deployments; if version pre-29.0, restrict internet-facing access or implement WAF rules blocking /.env. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53753 CRITICAL
9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-54352 CRITICAL
9.6 Jun 22

Arbitrary file read in Budibase self-hosted server (@budibase/server <= 3.39.0) allows an authenticated workspace builde
CVE-2026-12565 MEDIUM POC
5.3 Jun 17

Path traversal in BBOT's unarchive internal module enables a malicious archive hosted by attacker-controlled infrastruct
CVE-2026-56265 CRITICAL
9.3 Jun 21

Authentication bypass in Crawl4AI Docker API server (versions prior to 0.8.7) allows remote unauthenticated attackers to
CVE-2026-54232 HIGH
8.8 Jun 22

Remote code execution in vLLM versions prior to 0.22.1 allows attackers to backdoor production LLM inference deployments

Share

CVE-2026-33692 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy