EXECUTIVE SUMMARY:
CVE-2026-33692 with a CVSS score of 7.5 is a vulnerability in the AVideo streaming platform (composer/wwbn/avideo) affecting all releases prior to version 29.0 that are deployed using the official docker‑compose.yml. The docker configuration mounts the entire project directory into the Apache web root, inadvertently exposing the application’s .env file as a publicly accessible static resource because no .htaccess or server directive blocks dotfiles. An unauthenticated remote attacker can simply issue an HTTP GET request to /.env on the target host; no credentials, privileged access, or prior foothold are required, only that the default compose file is used without modification. The request returns the full environment file, revealing database host, user and password, the system admin password, TLS certificate paths, and internal network subnet information. With these secrets the attacker can directly connect to the MySQL database, hijack the admin interface, and pivot to other containers on the Docker network, potentially exfiltrating data, modifying content, or disrupting services. Exploitation is possible whenever the vulnerable container is launched with the default volume mapping and the web server is reachable from the Internet or internal network.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-33692 with a CVSS score of 7.5 is a vulnerability in the AVideo streaming platform (composer/wwbn/avideo) affecting all releases prior to version 29.0 that are deployed using the official docker‑compose.yml. The docker configuration mounts the entire project directory into the Apache web root, inadvertently exposing the application’s .env file as a publicly accessible static resource because no .htaccess or server directive blocks dotfiles. An unauthenticated remote attacker can simply issue an HTTP GET request to /.env on the target host; no credentials, privileged access, or prior foothold are required, only that the default compose file is used without modification. The request returns the full environment file, revealing database host, user and password, the system admin password, TLS certificate paths, and internal network subnet information. With these secrets the attacker can directly connect to the MySQL database, hijack the admin interface, and pivot to other containers on the Docker network, potentially exfiltrating data, modifying content, or disrupting services. Exploitation is possible whenever the vulnerable container is launched with the default volume mapping and the web server is reachable from the Internet or internal network.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-wf69-r4mx-43rr