WWBN AVideo, Sensitive Information Exposure via env File, CVE-2026-33037 (Critical) -DC-Jun2026-548

By /

Listen to this Post

How CVE-2026-33037 Works

This vulnerability, identified as CVE-2026-33037, exposes critical system credentials due to a misconfiguration in the official Docker deployment of WWBN AVideo. The root cause is the official `docker-compose.yml` file, which mounts the entire project root directory as the Apache document root. Specifically, line 61 of the file contains the following directive:

volumes:
- "./:/var/www/html/AVideo"

This configuration makes every file in the project root, including the `.env` file, accessible via the web server. The `.env` file is intended to store sensitive environment variables, but because there is no `.htaccess` rule or Apache configuration to block access to dotfiles, it is served as a static file.
An unauthenticated attacker can simply send a GET request to `/.env` and receive the full contents of the file. The exposed information typically includes:
– Database credentials (DB_MYSQL_HOST, DB_MYSQL_USER, DB_MYSQL_PASSWORD)
– The administrator password (SYSTEM_ADMIN_PASSWORD)
– Internal network topology details (NETWORK_SUBNET)
– Paths to TLS certificate files
This exposure is a direct consequence of CWE-538: Insertion of Sensitive Information into an Externally-Accessible File or Directory. The issue is compounded by the fact that the default credentials are often weak or hardcoded, making administrative takeover trivial. The vulnerability affects AVideo versions 25.0 and below, and it has been assigned a CVSS score of 8.1 (High). The problem is fixed in version 26.0.

DailyCVE Form

Platform: WWBN AVideo
Version: <= 25.0
Vulnerability: .env Exposure
Severity: Critical (8.1)
date: 2026-03-20

Prediction: 2026-03-20 (Fixed in v26.0)

Analytics Under What Undercode Say

The following analytics and commands demonstrate the ease of exploiting this misconfiguration.

Exploitation Command:

curl http://target-ip-or-domain/.env

Example Output:

DB_MYSQL_HOST=database
DB_MYSQL_USER=avideo
DB_MYSQL_PASSWORD=avideo
SYSTEM_ADMIN_PASSWORD=admin123
TLS_CERTIFICATE_FILE=/etc/apache2/ssl/localhost.crt
TLS_CERTIFICATE_KEY=/etc/apache2/ssl/localhost.key
NETWORK_SUBNET=172.30.0.0/16

Docker Compose Misconfiguration:

volumes:
- "./:/var/www/html/AVideo" Mounts entire project root as web root

How Exploit

  1. Identify Target: Find a WWBN AVideo instance deployed using the official `docker-compose.yml` without modifications.
  2. Send Request: Use `curl` or a web browser to request the `.env` file directly from the server’s root.
  3. Extract Credentials: Parse the response to obtain database credentials, admin passwords, and other sensitive information.
  4. Gain Access: Use the obtained credentials to log in to the admin panel or directly access the database.
  5. Lateral Movement: Use the exposed network topology and credentials to move laterally within the Docker network.

Protection from this CVE

To protect against this vulnerability, implement one of the following fixes:
1. Add .htaccess Rule: Place the following in the web root to block access to all hidden files:

<FilesMatch "^\.">
Order Allow,Deny
Deny from all
</FilesMatch>

2. Apache Configuration: Configure the Apache virtual host to deny access to dotfiles.
3. Move .env File: Store the `.env` file outside the web root directory.
4. Upgrade: Upgrade to WWBN AVideo version 26.0 or newer, where this issue is fixed.

Impact

  • Attacker: Unauthenticated, remote attacker.
  • Victim: AVideo server and its underlying database.
  • Specific Damage:
  • Exposure of database credentials (DB_MYSQL_USER, DB_MYSQL_PASSWORD).
  • Exposure of the administrator password (SYSTEM_ADMIN_PASSWORD).
  • Exposure of internal network topology (NETWORK_SUBNET).
  • Direct database access and admin panel takeover.
  • Potential for lateral movement within the Docker network.
  • Full administrative access can lead to remote code execution via file uploads and plugin management.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top