CVE-2026-33488 Overview
WWBN AVideo, an open source video platform, contains a critical cryptographic weakness in its LoginControl plugin's PGP 2FA system. The createKeys() function generates 512-bit RSA keys, which have been publicly factorable since 1999 using commodity hardware. This vulnerability allows attackers who obtain a target user's public key to factor the RSA modulus within hours, derive the complete private key, and decrypt any PGP 2FA challenge—completely bypassing the second authentication factor.
Additionally, the generateKeys.json.php and encryptMessage.json.php endpoints lack authentication checks, exposing CPU-intensive key generation operations to anonymous users, creating potential for resource exhaustion attacks.
Critical Impact
Complete two-factor authentication bypass allowing unauthorized account access through cryptographic key derivation from publicly factorable 512-bit RSA keys.
Affected Products
- WWBN AVideo versions up to and including 26.0
- LoginControl plugin with PGP 2FA functionality
- Any AVideo instance using PGP-based two-factor authentication
Discovery Timeline
- 2026-03-23 - CVE-2026-33488 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33488
Vulnerability Analysis
This vulnerability stems from fundamentally inadequate cryptographic parameters in the PGP 2FA implementation. The use of 512-bit RSA keys represents a severe deviation from modern cryptographic standards, as RSA-512 was first publicly factored in 1999 using distributed computing. Modern hardware can factor such keys in a matter of hours using well-known algorithms like the General Number Field Sieve (GNFS).
The vulnerability is classified under CWE-326 (Inadequate Encryption Strength), reflecting the use of cryptographic parameters that fail to meet contemporary security requirements. While the network attack vector requires high complexity for exploitation, successful attacks can result in complete compromise of confidentiality, integrity, and availability.
Root Cause
The root cause lies in the createKeys() function within the LoginControl plugin, which explicitly generates 512-bit RSA key pairs for PGP 2FA operations. Modern cryptographic standards mandate a minimum of 2048-bit RSA keys, with 3072-bit or 4096-bit keys recommended for long-term security. The 512-bit key size provides approximately 56 bits of security strength—well below the 112-bit minimum recommended by NIST.
A secondary issue compounds this vulnerability: the key generation and message encryption endpoints (generateKeys.json.php and encryptMessage.json.php) operate without authentication, allowing anonymous users to trigger computationally expensive operations and potentially harvest public keys.
Attack Vector
The attack proceeds through the following mechanism: An attacker first obtains the target user's 512-bit RSA public key, which may be exposed through the unauthenticated endpoints or other means. Using factorization tools and commodity hardware (or cloud computing resources), the attacker factors the RSA modulus to recover the prime factors. With these factors, the complete private key is mathematically derivable. The attacker can then decrypt any PGP 2FA challenges issued by the system, effectively bypassing the second authentication factor entirely.
This attack is feasible because factoring a 512-bit RSA modulus requires approximately 8 hours on modern consumer-grade hardware using optimized implementations of GNFS. Cloud-based GPU resources can reduce this time significantly.
Detection Methods for CVE-2026-33488
Indicators of Compromise
- Unusual access patterns to generateKeys.json.php or encryptMessage.json.php endpoints from unauthenticated sessions
- Multiple failed 2FA attempts followed by successful authentication from different IP addresses
- Unexpected key generation requests or high CPU usage from the AVideo application
- Login attempts using valid 2FA codes from IP addresses inconsistent with user history
Detection Strategies
- Monitor web server logs for unauthenticated requests to /plugin/LoginControl/generateKeys.json.php and /plugin/LoginControl/encryptMessage.json.php
- Implement anomaly detection for authentication patterns, flagging successful 2FA after geographic anomalies
- Review PGP public keys stored in the system to identify any with 512-bit modulus lengths
- Configure web application firewalls to alert on high-frequency requests to key generation endpoints
Monitoring Recommendations
- Enable detailed logging for all LoginControl plugin authentication events
- Set up alerting for CPU usage spikes associated with PHP key generation processes
- Implement geolocation-based anomaly detection for 2FA challenge completions
- Conduct periodic audits of cryptographic key sizes stored in the application database
How to Mitigate CVE-2026-33488
Immediate Actions Required
- Update WWBN AVideo to a version containing commit 00d979d87f8182095c8150609153a43f834e351e or later
- Force regeneration of all existing PGP 2FA keys with appropriate key sizes (minimum 2048-bit)
- Implement authentication requirements for the generateKeys.json.php and encryptMessage.json.php endpoints if running an unpatched version
- Consider temporarily disabling PGP 2FA until patched, using alternative 2FA methods
Patch Information
The vulnerability has been addressed in commit 00d979d87f8182095c8150609153a43f834e351e. This patch modifies the createKeys() function to generate cryptographically secure RSA key pairs with appropriate key lengths. Organizations running WWBN AVideo should apply this patch immediately by updating to the latest version from the official repository.
For detailed patch information, refer to the GitHub Commit and the GitHub Security Advisory.
Workarounds
- Restrict access to the LoginControl plugin endpoints via web server configuration (Apache/Nginx rules)
- Implement rate limiting on key generation endpoints to mitigate resource exhaustion
- Use network-level access controls to limit who can reach the AVideo administration interfaces
- Monitor and invalidate existing 512-bit keys, requiring users to re-enroll with secure key generation
# Nginx configuration to restrict access to vulnerable endpoints
location ~ ^/plugin/LoginControl/(generateKeys|encryptMessage)\.json\.php$ {
# Require authentication or restrict to internal networks
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
# Alternatively, disable entirely until patched
# return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
