AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that Permissions::canModerateVideos() is used as an authorization gate for full video editing in videoAddNew.json.php, while videoDelete.json.php only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-8x77-f38v-4m5jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33650ghsaADVISORY
- github.com/WWBN/AVideo/commit/838e16818c793779406ecbf34ebaeba9830e33f8ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.