Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public key can factor the 512-bit RSA modulus on commodity hardware in hours, derive the complete private key, and decrypt any PGP 2FA challenge issued by the system — completely bypassing the second authentication factor. Additionally, the `generateKeys.json.php` and `encryptMessage.json.php` endpoints lack any authentication checks, exposing CPU-intensive key generation to anonymous users. Commit 00d979d87f8182095c8150609153a43f834e351e contains a patch.
Published: 2026-03-23
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass via second factor decryption
Action: Patch Immediately
AI Analysis

Impact

The LoginControl plugin in WWBN AVideo uses 512‑bit RSA keys for its PGP two‑factor authentication. Those key sizes are factorizable with publicly known algorithms, allowing an attacker who obtains a user’s public key to compute the private key on commodity hardware in a matter of hours. With the private key, the attacker can decrypt any challenge presented by the system and complete the login without the second factor. In addition, two API endpoints that generate keys and encrypt messages lack authentication checks, enabling anonymous users to request CPU‑intensive key creation and exploit this weakness further.

Affected Systems

Versions of AVideo 26.0 and earlier that include the LoginControl plugin are affected. Users running these releases are at risk when the plugin is enabled, regardless of whether the vulnerable endpoints are exposed to the network.

Risk and Exploitability

The score of 7.4 indicates a high severity level, yet the likelihood of exploitation is low, estimated below 1 percent. Attacker preparation requires obtaining a public key, performing factorization, and decrypting the challenge; all tasks can be completed in a few hours with standard hardware. Once the loophole is passed, an attacker gains full session control, potentially exposing sensitive video content. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet, but the impact warrants urgent attention.

Generated by OpenCVE AI on March 24, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AVideo to a version that replaces the weak 512‑bit key generation in the LoginControl plugin or apply the patch from commit 00d979d87f8182095c8150609153a43f834e351e
  • Restrict or remove the generateKeys.json.php and encryptMessage.json.php endpoints to eliminate anonymous key generation
  • Force all existing users to re‑generate their two‑factor keys, ensuring stronger key sizes are used
  • Monitor authentication logs for patterns that could indicate attempts to exploit this weakness

Generated by OpenCVE AI on March 24, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6m5f-j7w2-w953 AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin
History

Tue, 24 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public key can factor the 512-bit RSA modulus on commodity hardware in hours, derive the complete private key, and decrypt any PGP 2FA challenge issued by the system — completely bypassing the second authentication factor. Additionally, the `generateKeys.json.php` and `encryptMessage.json.php` endpoints lack any authentication checks, exposing CPU-intensive key generation to anonymous users. Commit 00d979d87f8182095c8150609153a43f834e351e contains a patch.
Title AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin
Weaknesses CWE-326
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T15:13:58.214Z

Reserved: 2026-03-20T16:16:48.971Z

Link: CVE-2026-33488

cve-icon Vulnrichment

Updated: 2026-03-24T15:00:26.341Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T16:16:49.103

Modified: 2026-03-24T17:49:58.183

Link: CVE-2026-33488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:27:56Z

Weaknesses