CVE-2026-43885 Overview
CVE-2026-43885 is an information disclosure vulnerability in WWBN AVideo, an open source video platform. In versions up to and including 29.0, unauthenticated attackers can read the APISecret value from objects/plugins.json.php. The leaked secret allows attackers to invoke protected API endpoints such as users_list without authenticating. The flaw is tracked under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. Commit 1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b contains the upstream fix.
Critical Impact
Unauthenticated remote attackers can extract the API secret and enumerate user accounts through protected API endpoints.
Affected Products
- WWBN AVideo versions up to and including 29.0
- objects/plugins.json.php endpoint in affected releases
- Deployments exposing the AVideo API to untrusted networks
Discovery Timeline
- 2026-05-11 - CVE-2026-43885 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43885
Vulnerability Analysis
The vulnerability resides in objects/plugins.json.php, which serves plugin configuration data to clients. For non-administrator users, the script attempted to clear sensitive object_data fields before returning the plugin list. The clearing logic referenced an incorrect data structure, so the sanitization never executed. As a result, plugin objects containing secrets, including APISecret, were returned to unauthenticated callers.
With the leaked APISecret, an attacker can authenticate to protected JSON API endpoints. The advisory specifically identifies users_list as exploitable, exposing platform user records. The attack requires no credentials, no user interaction, and only network access to the affected host.
Root Cause
The sanitization code accessed $row[$key]->installedPlugin['object_data'] while the actual structure used the key $row[$key]['object_data']. Because the conditional check never matched, no fields were redacted before serialization. Sensitive plugin configuration was emitted verbatim in the JSON response.
Attack Vector
An unauthenticated attacker issues an HTTP GET request to objects/plugins.json.php and parses the response for the APISecret field. The attacker then uses that secret to call protected API endpoints such as users_list and harvest user data.
$row = Plugin::getAll();
if (!User::isAdmin()) {
foreach ($row as $key => $value) {
- if (!empty($row[$key]->installedPlugin['object_data'])) {
- $row[$key]->installedPlugin['object_data'] = '';
+ if (isset($row[$key]['object_data'])) {
+ $row[$key]['object_data'] = '';
}
}
}
Source: GitHub Commit 1c36f229
The patch corrects the array access path so that object_data is reliably stripped for non-admin callers.
Detection Methods for CVE-2026-43885
Indicators of Compromise
- Unauthenticated HTTP requests to /objects/plugins.json.php returning JSON payloads containing APISecret or object_data fields.
- API calls to users_list or other protected endpoints originating from IPs that never completed an interactive login.
- Outbound responses from AVideo with abnormally large plugins.json.php payloads compared to historical baselines.
Detection Strategies
- Inspect web server access logs for GET requests to objects/plugins.json.php from external sources, especially without prior session cookies.
- Correlate access to plugins.json.php with subsequent API calls referencing an APISecret parameter within a short time window.
- Deploy WAF rules that match JSON responses leaving the server containing the literal string APISecret.
Monitoring Recommendations
- Enable verbose access logging on AVideo front-end web servers and forward logs to a centralized analytics platform.
- Alert on bursts of users_list API calls or any API call invoked with a secret but no authenticated session.
- Track the AVideo deployment version inventory to identify hosts still running 29.0 or earlier.
How to Mitigate CVE-2026-43885
Immediate Actions Required
- Upgrade WWBN AVideo to a release containing commit 1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b or later.
- Rotate the APISecret and any other credentials stored in plugin object_data after patching.
- Audit recent API activity, particularly users_list calls, for signs of unauthorized enumeration.
Patch Information
The maintainers fixed the issue by correcting the array key check in objects/plugins.json.php. Review the GitHub Security Advisory GHSA-xr49-f4rh-qcjf and apply the upstream commit.
Workarounds
- Restrict network access to objects/plugins.json.php using web server rules or a reverse proxy until patching is complete.
- Place the AVideo instance behind authenticated proxy access if public exposure is not required.
- Invalidate and regenerate the APISecret to neutralize any secret captured before remediation.
# Example nginx rule blocking external access to the vulnerable endpoint
location = /objects/plugins.json.php {
allow 10.0.0.0/8;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
