CVE-2026-33041 Overview
CVE-2026-33041 is an information disclosure vulnerability in WWBN AVideo, an open source video platform. In versions 25.0 and below, the /objects/encryptPass.json.php endpoint exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes.
Critical Impact
This vulnerability allows attackers to leverage the exposed hashing endpoint to instantly crack passwords if they obtain database hashes through other means such as SQL injection or backup exposure, eliminating the need to reverse-engineer the hashing algorithm.
Affected Products
- WWBN AVideo versions 25.0 and below
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-33041 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33041
Vulnerability Analysis
This vulnerability falls under the category of Information Exposure (CWE-200). The exposed /objects/encryptPass.json.php endpoint accepts arbitrary password input and returns the hashed result without requiring any authentication. This design flaw provides attackers with a convenient oracle for password hash generation using the application's exact hashing implementation.
The severity of this issue is compounded by the weak hash chain employed by AVideo, which uses md5+whirlpool+sha1 without a salt by default. This combination of a publicly accessible hash generation endpoint and cryptographically weak hashing practices creates a significant security risk for user credentials.
Root Cause
The root cause of this vulnerability is the lack of authentication controls on the encryptPass.json.php endpoint combined with the use of a weak hashing algorithm chain. The endpoint was designed to provide password hashing functionality but was inadvertently exposed to unauthenticated users, allowing anyone to generate hashes using the application's internal algorithm.
Attack Vector
The attack vector for CVE-2026-33041 is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability through the following scenario:
- The attacker first obtains password hashes from the AVideo database through a separate attack vector (SQL injection, exposed backup files, or misconfigured database access)
- The attacker then uses the exposed /objects/encryptPass.json.php endpoint to submit candidate passwords
- The endpoint returns the hashed equivalent for each submitted password
- By comparing the returned hashes against the stolen database hashes, the attacker can rapidly identify matching passwords
- Since no salt is used by default and the hash chain is predictable, this process is highly efficient
This endpoint essentially provides attackers with a password verification oracle, significantly reducing the computational effort required to crack passwords compared to traditional offline cracking approaches.
Detection Methods for CVE-2026-33041
Indicators of Compromise
- Unusual or high-volume HTTP requests to /objects/encryptPass.json.php from external IP addresses
- Multiple requests to the hashing endpoint with varying password inputs from the same source
- Access logs showing unauthenticated requests to sensitive PHP endpoints in the /objects/ directory
- Evidence of database access attempts combined with hashing endpoint usage
Detection Strategies
- Implement web application firewall (WAF) rules to monitor and alert on access to /objects/encryptPass.json.php
- Configure rate limiting and anomaly detection for the affected endpoint
- Review web server access logs for patterns of automated password submission attempts
- Deploy intrusion detection signatures targeting enumeration of AVideo application endpoints
Monitoring Recommendations
- Enable detailed logging for all requests to the /objects/ directory within AVideo
- Set up alerts for any unauthenticated access attempts to administrative or sensitive endpoints
- Monitor for correlating indicators such as SQL injection attempts combined with hashing endpoint access
- Implement network traffic analysis to detect bulk password hashing requests
How to Mitigate CVE-2026-33041
Immediate Actions Required
- Upgrade WWBN AVideo to version 26.0 or later immediately
- If immediate upgrade is not possible, restrict access to /objects/encryptPass.json.php at the web server level
- Review database access logs for any signs of unauthorized access or data exfiltration
- Consider forcing password resets for all users if database compromise is suspected
- Audit the application for any other exposed administrative endpoints
Patch Information
WWBN has released version 26.0 to address this vulnerability. The fix is available in the GitHub Commit ea2efd04. Additional details about the vulnerability and remediation can be found in the GitHub Security Advisory GHSA-px7x-gq96-rmp5.
Workarounds
- Block access to /objects/encryptPass.json.php using web server configuration rules
- Implement authentication requirements for all endpoints in the /objects/ directory
- Deploy a WAF rule to deny unauthenticated requests to sensitive application endpoints
- Consider implementing network segmentation to limit external access to the AVideo application
# Example Apache configuration to block access to the vulnerable endpoint
<LocationMatch "^/objects/encryptPass\.json\.php">
Require all denied
</LocationMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
