Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-56346

CVE-2026-56346: AVideo Authentication Bypass Vulnerability

CVE-2026-56346 is an authentication bypass vulnerability in AVideo through version 25.0 that allows attackers to decrypt PGP messages without credentials. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-56346 Overview

CVE-2026-56346 is an authentication bypass vulnerability affecting AVideo through version 25.0. The flaw resides in the decryptMessage.json.php endpoint, which fails to enforce authentication before processing Pretty Good Privacy (PGP) decryption requests. Unauthenticated remote attackers can submit arbitrary private keys, ciphertext, and passphrases for server-side decryption. The exposed endpoint writes key material into application logs and accepts repeated decryption operations that consume server resources. The issue is tracked under CWE-306: Missing Authentication for Critical Function.

Critical Impact

Remote attackers can abuse the decryptMessage.json.php endpoint without credentials to perform server-side PGP decryption, leak submitted key material into logs, and trigger resource exhaustion against the AVideo host.

Affected Products

  • AVideo (WWBN/AVideo) through version 25.0
  • Deployments exposing the decryptMessage.json.php endpoint
  • Self-hosted AVideo instances reachable from the network

Discovery Timeline

  • 2026-06-20 - CVE-2026-56346 published to the National Vulnerability Database
  • 2026-06-22 - Last updated in NVD database

Technical Details for CVE-2026-56346

Vulnerability Analysis

The decryptMessage.json.php endpoint in AVideo exposes a PGP decryption routine to any network-reachable client. The endpoint accepts three attacker-controlled parameters: a private key, a ciphertext payload, and an optional passphrase. The server performs cryptographic operations and returns the decrypted output without verifying that the requester holds a valid session or authorization token.

Because the handler logs request parameters during normal operation, submitted private keys and passphrases are written to disk. Any user with log access can recover sensitive key material supplied by other users. The endpoint also performs no rate limiting, so repeated decryption requests with large payloads can drive CPU and memory consumption on the host.

Root Cause

The root cause is missing authentication on a critical function [CWE-306]. The PHP handler does not invoke AVideo's user session validation before dispatching the cryptographic operation. Combined with verbose request logging, the missing access control turns a utility endpoint into both a data exposure surface and a denial-of-service primitive.

Attack Vector

Exploitation requires only network access to the AVideo web interface. An attacker sends an HTTP POST request to decryptMessage.json.php containing the target ciphertext, an attacker-supplied private key, and a passphrase. The server returns decryption output and writes the request fields to log files. Repeated submissions with computationally expensive payloads exhaust server resources. Technical details are available in the GitHub Security Advisory GHSA-5x2w-37xf-7962 and the VulnCheck Security Advisory.

Detection Methods for CVE-2026-56346

Indicators of Compromise

  • Unauthenticated HTTP POST requests to /decryptMessage.json.php in web server access logs
  • Log entries containing PGP block headers such as -----BEGIN PGP PRIVATE KEY BLOCK----- or -----BEGIN PGP MESSAGE-----
  • Bursts of repeated requests to the decryption endpoint from a single source IP
  • Elevated CPU or PHP-FPM worker utilization correlated with traffic to the endpoint

Detection Strategies

  • Alert on any request to decryptMessage.json.php lacking a valid authenticated session cookie
  • Scan application and web server logs for PGP armor headers indicating leaked key material
  • Correlate request volume per source IP against baseline traffic to identify abuse patterns

Monitoring Recommendations

  • Forward AVideo web server and PHP logs to a centralized logging or SIEM platform for retention and search
  • Monitor host-level CPU and memory metrics on AVideo servers for anomalous spikes
  • Track HTTP 200 responses from cryptographic endpoints originating from unauthenticated sessions

How to Mitigate CVE-2026-56346

Immediate Actions Required

  • Restrict network access to decryptMessage.json.php using web server rules or a web application firewall until a patch is applied
  • Rotate any PGP private keys that may have been submitted to the endpoint during the exposure window
  • Purge or sanitize web and application logs that contain captured key material and passphrases
  • Review access logs for prior unauthenticated requests to the affected endpoint

Patch Information

No fixed version is referenced in the NVD entry at the time of publication. Operators should monitor the WWBN/AVideo GitHub repository and the GitHub Security Advisory GHSA-5x2w-37xf-7962 for an official update and apply it as soon as it is released.

Workarounds

  • Block external access to decryptMessage.json.php at the reverse proxy or web server layer
  • Require authenticated session validation in front of the endpoint using a server-side access rule
  • Disable verbose request parameter logging for cryptographic endpoints to prevent key material exposure
  • Apply rate limiting on the AVideo host to reduce the resource exhaustion impact

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.