CVE-2026-56346 Overview
CVE-2026-56346 is an authentication bypass vulnerability affecting AVideo through version 25.0. The flaw resides in the decryptMessage.json.php endpoint, which fails to enforce authentication before processing Pretty Good Privacy (PGP) decryption requests. Unauthenticated remote attackers can submit arbitrary private keys, ciphertext, and passphrases for server-side decryption. The exposed endpoint writes key material into application logs and accepts repeated decryption operations that consume server resources. The issue is tracked under CWE-306: Missing Authentication for Critical Function.
Critical Impact
Remote attackers can abuse the decryptMessage.json.php endpoint without credentials to perform server-side PGP decryption, leak submitted key material into logs, and trigger resource exhaustion against the AVideo host.
Affected Products
- AVideo (WWBN/AVideo) through version 25.0
- Deployments exposing the decryptMessage.json.php endpoint
- Self-hosted AVideo instances reachable from the network
Discovery Timeline
- 2026-06-20 - CVE-2026-56346 published to the National Vulnerability Database
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2026-56346
Vulnerability Analysis
The decryptMessage.json.php endpoint in AVideo exposes a PGP decryption routine to any network-reachable client. The endpoint accepts three attacker-controlled parameters: a private key, a ciphertext payload, and an optional passphrase. The server performs cryptographic operations and returns the decrypted output without verifying that the requester holds a valid session or authorization token.
Because the handler logs request parameters during normal operation, submitted private keys and passphrases are written to disk. Any user with log access can recover sensitive key material supplied by other users. The endpoint also performs no rate limiting, so repeated decryption requests with large payloads can drive CPU and memory consumption on the host.
Root Cause
The root cause is missing authentication on a critical function [CWE-306]. The PHP handler does not invoke AVideo's user session validation before dispatching the cryptographic operation. Combined with verbose request logging, the missing access control turns a utility endpoint into both a data exposure surface and a denial-of-service primitive.
Attack Vector
Exploitation requires only network access to the AVideo web interface. An attacker sends an HTTP POST request to decryptMessage.json.php containing the target ciphertext, an attacker-supplied private key, and a passphrase. The server returns decryption output and writes the request fields to log files. Repeated submissions with computationally expensive payloads exhaust server resources. Technical details are available in the GitHub Security Advisory GHSA-5x2w-37xf-7962 and the VulnCheck Security Advisory.
Detection Methods for CVE-2026-56346
Indicators of Compromise
- Unauthenticated HTTP POST requests to /decryptMessage.json.php in web server access logs
- Log entries containing PGP block headers such as -----BEGIN PGP PRIVATE KEY BLOCK----- or -----BEGIN PGP MESSAGE-----
- Bursts of repeated requests to the decryption endpoint from a single source IP
- Elevated CPU or PHP-FPM worker utilization correlated with traffic to the endpoint
Detection Strategies
- Alert on any request to decryptMessage.json.php lacking a valid authenticated session cookie
- Scan application and web server logs for PGP armor headers indicating leaked key material
- Correlate request volume per source IP against baseline traffic to identify abuse patterns
Monitoring Recommendations
- Forward AVideo web server and PHP logs to a centralized logging or SIEM platform for retention and search
- Monitor host-level CPU and memory metrics on AVideo servers for anomalous spikes
- Track HTTP 200 responses from cryptographic endpoints originating from unauthenticated sessions
How to Mitigate CVE-2026-56346
Immediate Actions Required
- Restrict network access to decryptMessage.json.php using web server rules or a web application firewall until a patch is applied
- Rotate any PGP private keys that may have been submitted to the endpoint during the exposure window
- Purge or sanitize web and application logs that contain captured key material and passphrases
- Review access logs for prior unauthenticated requests to the affected endpoint
Patch Information
No fixed version is referenced in the NVD entry at the time of publication. Operators should monitor the WWBN/AVideo GitHub repository and the GitHub Security Advisory GHSA-5x2w-37xf-7962 for an official update and apply it as soon as it is released.
Workarounds
- Block external access to decryptMessage.json.php at the reverse proxy or web server layer
- Require authenticated session validation in front of the endpoint using a server-side access rule
- Disable verbose request parameter logging for cryptographic endpoints to prevent key material exposure
- Apply rate limiting on the AVideo host to reduce the resource exhaustion impact
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

