Public March 2026
AVideo Docker Defaults Shipped a Predictable Admin Credential
BugBunny.ai reported that AVideo’s official Docker deployment path propagated a weak default password into the installer, which then created the admin account with that same value. Operators who launched the stack without overriding SYSTEM_ADMIN_PASSWORD exposed the application to trivial administrative takeover.
TL;DR
Remote attackers can log in as the administrator on deployments that keep the shipped default password.
Default Docker or env.example deployments that leave SYSTEM_ADMIN_PASSWORD set to password.
AVideo releases before 24.0 deployed through the official Docker installer path.
Published and fixed in AVideo 24.0.
Root Cause
The official deployment files set SYSTEM_ADMIN_PASSWORD to the weak default password, and the automated installer consumed that value directly when seeding the admin account. No first-login reset, password-complexity enforcement, or default-password detection interrupted the chain.
That makes the vulnerability more than a documentation problem. The deployment path actively carries a predictable secret from compose defaults into a persistent administrator credential, which is exactly the kind of initialization flaw attackers can scan for at scale.
Product
AVideo
Affected
< 24.0
Patched
>= 24.0
Weaknesses
CWE-1188: Insecure Default Initialization of Resource
Mitigation
- Upgrade AVideo to version 24.0 or later.
- Remove insecure password fallbacks from deployment manifests and fail closed when the admin password is unset.
- Force immediate password rotation or random password generation during first-time installs.
Credits & Disclosure
Published via GitHub Security Advisory GHSA-89rv-p523-6wg9 for WWBN/AVideo on March 16, 2026.