Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-43873

CVE-2026-43873: WWBN AVideo Information Disclosure Flaw

CVE-2026-43873 is an information disclosure vulnerability in WWBN AVideo that leaks authentication credentials to unauthenticated users. This post covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-43873 Overview

CVE-2026-43873 is an information disclosure vulnerability in WWBN AVideo, an open source video platform. The flaw affects all versions up to and including 29.0. The plugin/CloneSite/cloneClient.json.php endpoint echoes the local CloneSite shared secret into the HTTP response body on every unauthenticated request. The secret is $objClone->myKey, a constant value computed as md5($global['systemRootPath'] . $global['salt']). An unauthenticated remote attacker can retrieve this credential and use it to impersonate the victim against a configured remote cloneServer.json.php endpoint.

Critical Impact

Attackers can extract the CloneSite federation key without authentication, then trigger a full mysqldump of the remote AVideo database into a public web directory.

Affected Products

  • WWBN AVideo versions up to and including 29.0
  • AVideo deployments using the CloneSite plugin
  • AVideo instances configured with a remote cloneSiteURL for federation or backup

Discovery Timeline

  • 2026-05-11 - CVE-2026-43873 published to the National Vulnerability Database
  • 2026-05-12 - Last updated in NVD database
  • Commit e6566f56a28f4556b2a0a09d03717a719dcb49da contains the updated fix

Technical Details for CVE-2026-43873

Vulnerability Analysis

The vulnerability is an information exposure through an error message, classified as [CWE-209]. The affected endpoint cloneClient.json.php contains an unauthenticated error branch designed to reject callers that lack a valid administrative key. The rejection message interpolates the expected key value into the response before calling die(). As a result, any unauthenticated HTTP request to the endpoint receives the server's CloneSite shared secret in the response body.

The leaked myKey is a deterministic md5 hash derived from the system root path and the configured salt. Because the key is constant, a single request retrieves a credential valid for all subsequent operations. When the victim AVideo instance is configured with a remote cloneSiteURL, the same key authenticates calls to the remote server's cloneServer.json.php. The attacker pivots from a passive read to active impersonation, instructing the remote node to execute a full database dump.

Root Cause

The root cause is improper handling of authentication failures. The code path that returns an error to unauthenticated clients includes the expected secret in the diagnostic output rather than producing a generic rejection. The secret is also derived deterministically from static server configuration, so it never rotates.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker issues a single unauthenticated HTTP request to plugin/CloneSite/cloneClient.json.php on the victim host, parses the myKey value from the JSON response, then submits authenticated requests to the federated peer's cloneServer.json.php. The peer accepts the request and writes a mysqldump artifact to its public videos/clones/ directory, where it can be downloaded over the web.

No verified public exploit code is available. See the GitHub Security Advisory for vendor technical details.

Detection Methods for CVE-2026-43873

Indicators of Compromise

  • Unauthenticated HTTP requests to plugin/CloneSite/cloneClient.json.php from unexpected source addresses
  • Outbound or inbound requests to cloneServer.json.php that do not correlate with scheduled federation jobs
  • New .sql or mysqldump files appearing in the videos/clones/ directory of any federated AVideo node
  • HTTP responses from cloneClient.json.php containing a 32-character hexadecimal myKey value

Detection Strategies

  • Inspect web server access logs for requests to cloneClient.json.php and review response bodies for embedded key values
  • Alert on HTTP request patterns where cloneClient.json.php is queried before cloneServer.json.php calls from the same origin
  • Monitor file creation events in videos/clones/ and correlate with the originating PHP process

Monitoring Recommendations

  • Enable verbose access logging on all AVideo plugin endpoints and forward logs to a centralized SIEM
  • Track database export operations on MySQL or MariaDB instances backing AVideo deployments
  • Audit the contents of any directory served publicly by AVideo for unexpected dump artifacts

How to Mitigate CVE-2026-43873

Immediate Actions Required

  • Upgrade WWBN AVideo to a build that includes commit e6566f56a28f4556b2a0a09d03717a719dcb49da or later
  • Rotate the AVideo salt value in configuration to invalidate any previously leaked myKey
  • Audit videos/clones/ directories on every federated AVideo node and remove unauthorized dump files
  • Review database contents for evidence of unauthorized export

Patch Information

The maintainers published the fix in commit e6566f56a28f4556b2a0a09d03717a719dcb49da. Review the GitHub Commit Change for the exact code change. The patch removes the secret from the error response path.

Workarounds

  • Restrict network access to plugin/CloneSite/cloneClient.json.php and cloneServer.json.php using web server access control lists
  • Disable the CloneSite plugin on any deployment that does not require federation
  • Deny public web access to the videos/clones/ directory until the patch is applied
  • After patching, rotate the salt value and any administrative credentials shared between federated nodes
bash
# Example nginx ACL restricting CloneSite endpoints to trusted peers
location ~ ^/plugin/CloneSite/(cloneClient|cloneServer)\.json\.php$ {
    allow 203.0.113.10;   # trusted federation peer
    deny all;
}

location ^~ /videos/clones/ {
    deny all;
    return 404;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.