CVE-2026-43875 Overview
CVE-2026-43875 affects WWBN AVideo, an open source video platform, in versions up to and including 29.0. The vulnerability resides in plugin/MobileManager/oauth2.php, which completes an OAuth login by issuing an HTTP 302 redirect containing the victim's stored password hash in the URL query string. AVideo's login endpoint accepts an encodedPass=1 flag that bypasses hashing and compares the supplied value directly to the stored hash. Anyone who captures the redirect URL through server logs, referrer headers, or browser history obtains a credential equivalent to the plaintext password. This information disclosure issue is tracked under [CWE-598].
Critical Impact
Captured redirect URLs grant full account takeover, including administrative accounts, without further authentication challenges.
Affected Products
- WWBN AVideo versions up to and including 29.0
- plugin/MobileManager/oauth2.php OAuth integration component
- AVideo deployments using the MobileManager OAuth login flow
Discovery Timeline
- 2026-05-11 - CVE-2026-43875 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43875
Vulnerability Analysis
The OAuth success handler in plugin/MobileManager/oauth2.php constructs a redirect of the form oauth2Success.php?user=<email>&pass=<HASH>. The <HASH> value is the stored password hash computed as md5(hash("whirlpool", sha1(password))), read directly from the users table. Because AVideo's objects/login.json.php endpoint accepts the encodedPass=1 flag and performs a direct string comparison against the stored hash, the leaked hash functions as a password equivalent. Attackers who replay the captured hash with encodedPass=1 authenticate as the victim without ever knowing the plaintext credential. The flaw is classified as Information Exposure Through Sent Data ([CWE-598]).
Root Cause
Two design defects combine to produce the vulnerability. First, the OAuth completion logic transmits the stored password hash as a URL query parameter rather than establishing the session server-side. Second, the login endpoint accepts a client-controlled encodedPass=1 flag that disables hashing, treating the stored hash as a valid credential. URL parameters are persisted in browser history, proxy logs, web server access logs, and Referer headers sent to third-party resources.
Attack Vector
An attacker who can read any artifact recording the redirect URL recovers the password-equivalent hash. Sources include shared access logs, error logs that capture full request URLs, third-party analytics receiving Referer headers, and browser history on shared workstations. The attacker then submits a login request to objects/login.json.php with the victim's email and the captured hash, setting encodedPass=1 to bypass server-side hashing. The session granted matches the victim's privileges, including administrator roles.
$email = $userProfile->email;
$pass = rand();
$users_id = User::createUserIfNotExists($user, $pass, $name, $email, $photoURL);
- $adapter->disconnect();
$userObject = new User($users_id);
- header("Location: oauth2Success.php?user=" . $userObject->getUser() . "&pass=" . $userObject->getPassword());
+ // Log in by user ID and keep credentials out of URLs/logs/history.
+ $userObject->login(true);
+ $adapter->disconnect();
+ header("Location: oauth2Success.php");
+ exit;
} catch (\Exception $e) {
header("Location: oauth2Error.php?message=" . $e->getMessage());
}
Source: GitHub Commit 977cd6930a97571a26da4239e25c8096dd4ecbc1. The patch removes credentials from the redirect URL and instead authenticates the user server-side via $userObject->login(true) before issuing a clean redirect to oauth2Success.php.
Detection Methods for CVE-2026-43875
Indicators of Compromise
- Access log entries containing oauth2Success.php?user= followed by a pass= query parameter
- Login requests to objects/login.json.php with encodedPass=1 originating from unexpected IP addresses or user agents
- Referer headers in outbound traffic that include oauth2Success.php with credential parameters
- Authentication events for administrator accounts immediately following OAuth callback activity
Detection Strategies
- Search web server and reverse proxy logs for the regular expression pattern oauth2Success\.php\?user=.*&pass= to identify exposed hashes
- Alert on POST requests to objects/login.json.php where the body contains encodedPass=1, especially from sources that did not perform a prior OAuth handshake
- Correlate OAuth callback events with subsequent login activity from disparate IP addresses within short time windows
Monitoring Recommendations
- Forward AVideo web server logs to a centralized SIEM and retain them long enough to investigate historical credential leakage
- Rotate or invalidate stored password hashes for accounts that completed OAuth logins before patching
- Monitor administrator account session creation for anomalous geolocation or device fingerprint changes
How to Mitigate CVE-2026-43875
Immediate Actions Required
- Upgrade WWBN AVideo to a build that includes commit 977cd6930a97571a26da4239e25c8096dd4ecbc1 or later
- Force a password reset for every account that has previously used the MobileManager OAuth flow
- Purge or restrict access to historical web server, proxy, and analytics logs that may contain redirect URLs with pass= parameters
- Audit administrator accounts for unauthorized sessions and revoke active tokens
Patch Information
The fix is published in commit 977cd6930a97571a26da4239e25c8096dd4ecbc1. It replaces the credential-bearing redirect with a server-side $userObject->login(true) call followed by a redirect to oauth2Success.php with no query parameters. Details are documented in the WWBN AVideo Security Advisory GHSA-5w8w-26ch-v5cw.
Workarounds
- Disable the MobileManager OAuth plugin until the patched version is deployed
- Modify objects/login.json.php to reject requests that supply encodedPass=1, forcing all logins through the standard hashing path
- Restrict access to web server log files and disable third-party analytics on OAuth callback pages to limit hash exposure
# Verify the patched commit is present in the deployed AVideo source tree
cd /var/www/AVideo
git log --oneline | grep 977cd6930a97571a26da4239e25c8096dd4ecbc1
# Temporary mitigation: disable the MobileManager OAuth plugin directory
chmod 000 /var/www/AVideo/plugin/MobileManager
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
