AVideo RCE Chain Gives Attackers Full Server Access Without Auth

A chain of three vulnerabilities in AVideo's CloneSite plugin allows completely unauthenticated attackers to achieve remote code execution on servers running the open-source video platform. The flaws were disclosed this week with no patch currently available.

AVideo (formerly YouPHPTube) is a self-hosted video streaming platform used by organizations wanting YouTube-like functionality without depending on third-party services. The vulnerability chain affects the CloneSite plugin, which enables site replication and backup functionality.

The Attack Chain

CVE-2026-33478 combines three separate weaknesses into a single unauthenticated RCE:

Step 1: Clone Key Disclosure

The clones.json.php endpoint exposes clone secret keys without any authentication. These keys are intended to authorize replication operations between AVideo instances but are accessible to anyone who knows the endpoint exists.

Step 2: Database Dump and Credential Extraction

With a valid clone key, attackers can trigger a full database dump via cloneServer.json.php. The dump contains administrator password hashes stored as MD5, which are trivially crackable with modern hardware or rainbow tables.

MD5 password hashing has been considered cryptographically broken for over a decade. Any credentials stored this way should be assumed compromised once the database is accessible.

Step 3: Command Injection

With admin credentials, attackers exploit an OS command injection in the rsync command construction within cloneClient.json.php. User-controlled input gets passed to system commands without sanitization, enabling arbitrary code execution.

The entire chain requires no authentication at the starting point, and each step enables the next.

Additional Vulnerabilities

The disclosure includes several related CVEs affecting AVideo's CloneSite plugin:

• CVE-2026-33293: Arbitrary file deletion via path traversal in deleteDump parameter (CVSS 8.1)
• CVE-2026-33292: Authorization bypass allowing streaming of private/paid videos
• CVE-2026-33488: 2FA bypass via cryptographically broken 512-bit RSA key generation
• CVE-2026-33507: CSRF on plugin import enabling unauthenticated RCE via malicious plugin upload

The file deletion bug is particularly dangerous. Attackers with clone credentials can use path traversal (../../) to delete critical files like configuration.php, causing denial of service or enabling further attacks by removing security controls.

No Patch Available

As of publication, no fix has been released. The vulnerabilities were disclosed approximately four days ago. Organizations running AVideo should consider:

1. Disable the CloneSite plugin - If site replication isn't actively used, disable the plugin entirely
2. Restrict access - Place AVideo behind authentication at the network level
3. Monitor for exploitation - Watch for unusual requests to clones.json.php or cloneServer.json.php endpoints
4. Change admin passwords - If the database may have been exposed, rotate credentials immediately

This follows a pattern of web application vulnerabilities we've seen throughout 2026 where multiple flaws chain together for unauthenticated RCE. The Langflow critical vulnerability exploited within 20 hours of disclosure shows how quickly attackers weaponize these chains.

Why This Matters

Self-hosted video platforms often contain sensitive content that organizations chose not to upload to public services for privacy or compliance reasons. A compromised AVideo server could expose internal training videos, confidential presentations, or content meant for paying subscribers.

The CloneSite plugin is designed for backup and migration workflows, so it has extensive access to system resources by design. When that access is exposed without authentication, attackers gain significant leverage.

Organizations running AVideo should audit whether the CloneSite plugin is actually needed and remove it if not. For those requiring the functionality, implementing network-level access controls buys time until a patch arrives.