CVE-2026-43873 Overview
CVE-2026-43873 is an information disclosure vulnerability in WWBN AVideo, an open source video platform. The flaw affects all versions up to and including 29.0. The plugin/CloneSite/cloneClient.json.php endpoint echoes the local CloneSite shared secret into the HTTP response body on every unauthenticated request. The secret is $objClone->myKey, a constant value computed as md5($global['systemRootPath'] . $global['salt']). An unauthenticated remote attacker can retrieve this credential and use it to impersonate the victim against a configured remote cloneServer.json.php endpoint.
Critical Impact
Attackers can extract the CloneSite federation key without authentication, then trigger a full mysqldump of the remote AVideo database into a public web directory.
Affected Products
- WWBN AVideo versions up to and including 29.0
- AVideo deployments using the CloneSite plugin
- AVideo instances configured with a remote cloneSiteURL for federation or backup
Discovery Timeline
- 2026-05-11 - CVE-2026-43873 published to the National Vulnerability Database
- 2026-05-12 - Last updated in NVD database
- Commit e6566f56a28f4556b2a0a09d03717a719dcb49da contains the updated fix
Technical Details for CVE-2026-43873
Vulnerability Analysis
The vulnerability is an information exposure through an error message, classified as [CWE-209]. The affected endpoint cloneClient.json.php contains an unauthenticated error branch designed to reject callers that lack a valid administrative key. The rejection message interpolates the expected key value into the response before calling die(). As a result, any unauthenticated HTTP request to the endpoint receives the server's CloneSite shared secret in the response body.
The leaked myKey is a deterministic md5 hash derived from the system root path and the configured salt. Because the key is constant, a single request retrieves a credential valid for all subsequent operations. When the victim AVideo instance is configured with a remote cloneSiteURL, the same key authenticates calls to the remote server's cloneServer.json.php. The attacker pivots from a passive read to active impersonation, instructing the remote node to execute a full database dump.
Root Cause
The root cause is improper handling of authentication failures. The code path that returns an error to unauthenticated clients includes the expected secret in the diagnostic output rather than producing a generic rejection. The secret is also derived deterministically from static server configuration, so it never rotates.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker issues a single unauthenticated HTTP request to plugin/CloneSite/cloneClient.json.php on the victim host, parses the myKey value from the JSON response, then submits authenticated requests to the federated peer's cloneServer.json.php. The peer accepts the request and writes a mysqldump artifact to its public videos/clones/ directory, where it can be downloaded over the web.
No verified public exploit code is available. See the GitHub Security Advisory for vendor technical details.
Detection Methods for CVE-2026-43873
Indicators of Compromise
- Unauthenticated HTTP requests to plugin/CloneSite/cloneClient.json.php from unexpected source addresses
- Outbound or inbound requests to cloneServer.json.php that do not correlate with scheduled federation jobs
- New .sql or mysqldump files appearing in the videos/clones/ directory of any federated AVideo node
- HTTP responses from cloneClient.json.php containing a 32-character hexadecimal myKey value
Detection Strategies
- Inspect web server access logs for requests to cloneClient.json.php and review response bodies for embedded key values
- Alert on HTTP request patterns where cloneClient.json.php is queried before cloneServer.json.php calls from the same origin
- Monitor file creation events in videos/clones/ and correlate with the originating PHP process
Monitoring Recommendations
- Enable verbose access logging on all AVideo plugin endpoints and forward logs to a centralized SIEM
- Track database export operations on MySQL or MariaDB instances backing AVideo deployments
- Audit the contents of any directory served publicly by AVideo for unexpected dump artifacts
How to Mitigate CVE-2026-43873
Immediate Actions Required
- Upgrade WWBN AVideo to a build that includes commit e6566f56a28f4556b2a0a09d03717a719dcb49da or later
- Rotate the AVideo salt value in configuration to invalidate any previously leaked myKey
- Audit videos/clones/ directories on every federated AVideo node and remove unauthorized dump files
- Review database contents for evidence of unauthorized export
Patch Information
The maintainers published the fix in commit e6566f56a28f4556b2a0a09d03717a719dcb49da. Review the GitHub Commit Change for the exact code change. The patch removes the secret from the error response path.
Workarounds
- Restrict network access to plugin/CloneSite/cloneClient.json.php and cloneServer.json.php using web server access control lists
- Disable the CloneSite plugin on any deployment that does not require federation
- Deny public web access to the videos/clones/ directory until the patch is applied
- After patching, rotate the salt value and any administrative credentials shared between federated nodes
# Example nginx ACL restricting CloneSite endpoints to trusted peers
location ~ ^/plugin/CloneSite/(cloneClient|cloneServer)\.json\.php$ {
allow 203.0.113.10; # trusted federation peer
deny all;
}
location ^~ /videos/clones/ {
deny all;
return 404;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
