CVE-2026-45610: WWBN AVideo CSRF Vulnerability

CVE-2026-45610 Overview

CVE-2026-45610 is a cross-site request forgery (CSRF) vulnerability in WWBN AVideo, an open source video platform. The flaw affects version 29.0 and earlier and resides in the plugin/LoginControl/set.json.php endpoint. The endpoint accepts a POST type=set2FA value=false request and calls LoginControl::setUser2FA(User::getId(), false) on the session-authenticated user. The handler omits forbidIfIsUntrustedRequest(), isTokenValid(), X-CSRF-Token validation, SameSite enforcement, and re-authentication. An attacker can disable a victim's two-factor authentication (2FA) with a single cross-origin request triggered while the user is logged into the AVideo dashboard.

Critical Impact
Attackers can silently disable 2FA on authenticated AVideo accounts, weakening the account's protection against subsequent credential-based takeover.

Affected Products

WWBN AVideo 29.0 and earlier
plugin/LoginControl/set.json.php endpoint
AVideo deployments with 2FA enabled for user accounts

Discovery Timeline

2026-05-29 - CVE-2026-45610 published to NVD
2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-45610

Vulnerability Analysis

The vulnerability stems from a missing CSRF defense on a state-changing endpoint that controls a critical security setting. The handler at plugin/LoginControl/set.json.php accepts an authenticated POST request to toggle the set2FA flag for the current session user. Because the endpoint does not validate request origin or anti-CSRF tokens, any cross-origin page can issue the request using the victim's ambient session cookies. The result is a one-request downgrade of the account's authentication posture from two-factor to single-factor. This vulnerability maps to [CWE-306] Missing Authentication for Critical Function, as the action lacks a step-up verification appropriate to its security impact.

Root Cause

The root cause is the absence of standard CSRF protections in the AVideo codebase for the 2FA toggle path. The handler does not call forbidIfIsUntrustedRequest(), does not invoke isTokenValid() to check a session-bound CSRF token, and does not require the user to re-enter a password or current 2FA code before disabling the second factor. The application also does not set SameSite=Lax or SameSite=Strict on the session cookie, which would otherwise block the cross-site POST.

Attack Vector

An attacker hosts a malicious page on an external domain. The victim, while authenticated to the AVideo dashboard in another tab, visits the attacker's page. The page submits a hidden HTML form or a fetch call targeting plugin/LoginControl/set.json.php with type=set2FA and value=false. The browser attaches the AVideo session cookie, the server authenticates the request as the victim, and 2FA is disabled. The attacker can then proceed with credential stuffing, phishing, or stolen-password reuse against the now single-factor account.

// No verified exploit code is published. See the vendor advisory for technical details:
// https://github.com/WWBN/AVideo/security/advisories/GHSA-3mv2-vmwh-rwfx

Detection Methods for CVE-2026-45610

Indicators of Compromise

POST requests to plugin/LoginControl/set.json.php containing type=set2FA and value=false with a Referer or Origin header pointing to an external domain.
Audit log entries showing 2FA disabled without a corresponding interactive user session event from the AVideo UI.
Account login events from new IP addresses or geolocations shortly after a 2FA-disable event.

Detection Strategies

Inspect web server access logs for requests to set.json.php where the Origin or Referer does not match the AVideo host.
Alert on any change to the LoginControl 2FA state that is not preceded by an authenticated settings-page navigation.
Correlate 2FA-disable events with subsequent password resets or sensitive profile changes from the same session.

Monitoring Recommendations

Forward AVideo application logs and web server logs to a centralized logging platform for review.
Track per-user 2FA state transitions and flag any transition from enabled to disabled for analyst review.
Monitor outbound HTTP referers and origin headers on administrative endpoints for anomalies.

How to Mitigate CVE-2026-45610

Immediate Actions Required

Upgrade AVideo to a release later than 29.0 once the vendor publishes a patched version referenced in the GitHub Security Advisory GHSA-3mv2-vmwh-rwfx.
Audit all user accounts for unexpected 2FA-disabled states and require affected users to re-enable 2FA.
Force a password reset for any account where 2FA was disabled outside an expected change window.

Patch Information

Refer to the WWBN AVideo GitHub Security Advisory for patch availability and remediated version information. The fix should add forbidIfIsUntrustedRequest() and isTokenValid() checks to plugin/LoginControl/set.json.php and require re-authentication before disabling 2FA.

Workarounds

Configure the AVideo session cookie with SameSite=Lax or SameSite=Strict to block cross-site POST submission of session credentials.
Place a web application firewall (WAF) rule in front of AVideo that rejects POST requests to plugin/LoginControl/set.json.php lacking a same-origin Referer or Origin header.
Instruct administrators and privileged users to log out of the AVideo dashboard when browsing untrusted sites until a patched version is deployed.

bash

# Example WAF rule (ModSecurity) blocking cross-origin POSTs to the 2FA toggle
SecRule REQUEST_URI "@endsWith plugin/LoginControl/set.json.php" \
    "id:1004561,phase:1,deny,status:403,\
    chain,msg:'Block cross-origin CSRF on AVideo 2FA toggle'"
    SecRule REQUEST_METHOD "@streq POST" \
        "chain"
        SecRule &REQUEST_HEADERS:Origin "@eq 1" \
            "chain"
            SecRule REQUEST_HEADERS:Origin "!@beginsWith https://avideo.example.com"