Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-43875

CVE-2026-43875: WWBN AVideo Auth Bypass Vulnerability

CVE-2026-43875 is an authentication bypass flaw in WWBN AVideo that exposes password hashes via OAuth redirects, allowing full account takeover. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-43875 Overview

CVE-2026-43875 affects WWBN AVideo, an open source video platform, in versions up to and including 29.0. The vulnerability resides in plugin/MobileManager/oauth2.php, which completes an OAuth login by issuing an HTTP 302 redirect containing the victim's stored password hash in the URL query string. AVideo's login endpoint accepts an encodedPass=1 flag that bypasses hashing and compares the supplied value directly to the stored hash. Anyone who captures the redirect URL through server logs, referrer headers, or browser history obtains a credential equivalent to the plaintext password. This information disclosure issue is tracked under [CWE-598].

Critical Impact

Captured redirect URLs grant full account takeover, including administrative accounts, without further authentication challenges.

Affected Products

  • WWBN AVideo versions up to and including 29.0
  • plugin/MobileManager/oauth2.php OAuth integration component
  • AVideo deployments using the MobileManager OAuth login flow

Discovery Timeline

  • 2026-05-11 - CVE-2026-43875 published to NVD
  • 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-43875

Vulnerability Analysis

The OAuth success handler in plugin/MobileManager/oauth2.php constructs a redirect of the form oauth2Success.php?user=<email>&pass=<HASH>. The <HASH> value is the stored password hash computed as md5(hash("whirlpool", sha1(password))), read directly from the users table. Because AVideo's objects/login.json.php endpoint accepts the encodedPass=1 flag and performs a direct string comparison against the stored hash, the leaked hash functions as a password equivalent. Attackers who replay the captured hash with encodedPass=1 authenticate as the victim without ever knowing the plaintext credential. The flaw is classified as Information Exposure Through Sent Data ([CWE-598]).

Root Cause

Two design defects combine to produce the vulnerability. First, the OAuth completion logic transmits the stored password hash as a URL query parameter rather than establishing the session server-side. Second, the login endpoint accepts a client-controlled encodedPass=1 flag that disables hashing, treating the stored hash as a valid credential. URL parameters are persisted in browser history, proxy logs, web server access logs, and Referer headers sent to third-party resources.

Attack Vector

An attacker who can read any artifact recording the redirect URL recovers the password-equivalent hash. Sources include shared access logs, error logs that capture full request URLs, third-party analytics receiving Referer headers, and browser history on shared workstations. The attacker then submits a login request to objects/login.json.php with the victim's email and the captured hash, setting encodedPass=1 to bypass server-side hashing. The session granted matches the victim's privileges, including administrator roles.

php
         $email = $userProfile->email;
         $pass = rand();
         $users_id = User::createUserIfNotExists($user, $pass, $name, $email, $photoURL);
-        $adapter->disconnect();
         $userObject = new User($users_id);
-        header("Location: oauth2Success.php?user=" . $userObject->getUser() . "&pass=" . $userObject->getPassword());
+        // Log in by user ID and keep credentials out of URLs/logs/history.
+        $userObject->login(true);
+        $adapter->disconnect();
+        header("Location: oauth2Success.php");
+        exit;
     } catch (\Exception $e) {
         header("Location: oauth2Error.php?message=" . $e->getMessage());
     }

Source: GitHub Commit 977cd6930a97571a26da4239e25c8096dd4ecbc1. The patch removes credentials from the redirect URL and instead authenticates the user server-side via $userObject->login(true) before issuing a clean redirect to oauth2Success.php.

Detection Methods for CVE-2026-43875

Indicators of Compromise

  • Access log entries containing oauth2Success.php?user= followed by a pass= query parameter
  • Login requests to objects/login.json.php with encodedPass=1 originating from unexpected IP addresses or user agents
  • Referer headers in outbound traffic that include oauth2Success.php with credential parameters
  • Authentication events for administrator accounts immediately following OAuth callback activity

Detection Strategies

  • Search web server and reverse proxy logs for the regular expression pattern oauth2Success\.php\?user=.*&pass= to identify exposed hashes
  • Alert on POST requests to objects/login.json.php where the body contains encodedPass=1, especially from sources that did not perform a prior OAuth handshake
  • Correlate OAuth callback events with subsequent login activity from disparate IP addresses within short time windows

Monitoring Recommendations

  • Forward AVideo web server logs to a centralized SIEM and retain them long enough to investigate historical credential leakage
  • Rotate or invalidate stored password hashes for accounts that completed OAuth logins before patching
  • Monitor administrator account session creation for anomalous geolocation or device fingerprint changes

How to Mitigate CVE-2026-43875

Immediate Actions Required

  • Upgrade WWBN AVideo to a build that includes commit 977cd6930a97571a26da4239e25c8096dd4ecbc1 or later
  • Force a password reset for every account that has previously used the MobileManager OAuth flow
  • Purge or restrict access to historical web server, proxy, and analytics logs that may contain redirect URLs with pass= parameters
  • Audit administrator accounts for unauthorized sessions and revoke active tokens

Patch Information

The fix is published in commit 977cd6930a97571a26da4239e25c8096dd4ecbc1. It replaces the credential-bearing redirect with a server-side $userObject->login(true) call followed by a redirect to oauth2Success.php with no query parameters. Details are documented in the WWBN AVideo Security Advisory GHSA-5w8w-26ch-v5cw.

Workarounds

  • Disable the MobileManager OAuth plugin until the patched version is deployed
  • Modify objects/login.json.php to reject requests that supply encodedPass=1, forcing all logins through the standard hashing path
  • Restrict access to web server log files and disable third-party analytics on OAuth callback pages to limit hash exposure
bash
# Verify the patched commit is present in the deployed AVideo source tree
cd /var/www/AVideo
git log --oneline | grep 977cd6930a97571a26da4239e25c8096dd4ecbc1

# Temporary mitigation: disable the MobileManager OAuth plugin directory
chmod 000 /var/www/AVideo/plugin/MobileManager

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.