CVE-2026-40908 Overview
CVE-2026-40908 is an information disclosure vulnerability in WWBN AVideo, an open source video platform. The vulnerability exists in the git.json.php file located at the web root, which executes git log -1 and returns the full output as JSON to any unauthenticated user. This exposes sensitive information including the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes.
Critical Impact
Unauthenticated attackers can fingerprint deployed versions for known vulnerabilities and harvest developer PII without authentication.
Affected Products
- WWBN AVideo versions 29.0 and prior
- All installations with default git.json.php endpoint accessible
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-40908 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-40908
Vulnerability Analysis
This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The git.json.php endpoint is accessible without any authentication mechanism, allowing any remote attacker to retrieve detailed git repository information simply by making an HTTP request to the endpoint.
The exposed information provides a significant reconnaissance advantage to attackers. By obtaining the exact commit hash, attackers can determine the precise version of the software deployed and cross-reference it against publicly disclosed CVEs to identify known vulnerabilities. Additionally, the exposure of developer names and email addresses constitutes a PII leak that could be leveraged for social engineering attacks. Commit messages may inadvertently reveal information about security patches, internal systems, or bug fixes that could guide targeted exploitation.
Root Cause
The root cause of this vulnerability is the lack of access control on the git.json.php endpoint. The file directly executes a shell command (git log -1) and returns the output to any requesting user without verifying authentication or authorization. This represents a design flaw where sensitive development information is inadvertently exposed to the public-facing web application.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can simply send an HTTP GET request to the /git.json.php endpoint on any vulnerable AVideo installation. The server responds with JSON-formatted git log data containing:
- Full commit hash of the deployed version
- Author name and email address
- Commit timestamp
- Complete commit message
This information enables version fingerprinting, allowing attackers to identify vulnerable installations and plan targeted attacks based on known CVEs affecting specific versions.
Detection Methods for CVE-2026-40908
Indicators of Compromise
- Unusual HTTP requests to /git.json.php from external IP addresses
- Multiple requests to the endpoint from the same source in a short timeframe indicating automated scanning
- Access log entries showing successful 200 responses to git.json.php requests
Detection Strategies
- Configure web application firewall (WAF) rules to alert on access attempts to /git.json.php
- Monitor web server access logs for requests to sensitive PHP endpoints
- Implement anomaly detection for reconnaissance patterns targeting development-related files
Monitoring Recommendations
- Review access logs regularly for requests to git.json.php and similar endpoints
- Set up alerts for access attempts to development-related files from external networks
- Consider implementing a honeypot endpoint to detect active scanning for this vulnerability
How to Mitigate CVE-2026-40908
Immediate Actions Required
- Remove or restrict access to the git.json.php file immediately
- Review web root for other development-related files that may expose sensitive information
- Audit access logs to determine if the endpoint has been accessed by unauthorized parties
- Consider rotating any exposed developer credentials as a precautionary measure
Patch Information
As of the publication date, no known patched versions are available from the vendor. Organizations should implement the workarounds described below until an official patch is released. Monitor the GitHub Security Advisory for updates on patch availability.
Workarounds
- Delete the git.json.php file from the web root if not required for operations
- Block access to git.json.php at the web server or reverse proxy level
- Implement IP-based access restrictions to limit access to trusted administrative networks only
- Use .htaccess or equivalent web server configuration to deny public access to the endpoint
# Apache .htaccess configuration to block access
<Files "git.json.php">
Order Allow,Deny
Deny from all
</Files>
# Nginx configuration to block access
location = /git.json.php {
deny all;
return 404;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
