Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/MobileManager/oauth2.php completes an OAuth login by sending an HTTP 302 Location: oauth2Success.php?user=<email>&pass=<HASH> where <HASH> is the victim's stored password hash (md5(hash("whirlpool", sha1(password)))) read directly from the users table. AVideo's own login endpoint (objects/login.json.php) accepts an encodedPass=1 flag that bypasses hashing and performs a direct string comparison between the supplied value and the stored hash. Anyone who captures the redirect URL — via server logs, referrer leakage, or browser history — therefore obtains a credential equivalent to the plaintext password and can fully take over the account, including admin accounts. Commit 977cd6930a97571a26da4239e25c8096dd4ecbc1 contains an updated fix.
Published: 2026-05-11
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the MobileManager module of the AVideo platform. During OAuth completion, the service issues an HTTP redirect that contains the user's email and a stored password hash in the query string. The hash uses md5 over whirlpool and sha1, but it is the same value used for authentication. Because this value is exposed in the redirect URL, anyone who can capture the URL—for example, from server logs, referrer headers, or browser history—obtains a credential equivalent to the plain‑text password. An attacker can then use the platform’s login endpoint, which accepts a flag that bypasses password hashing, to authenticate directly with the leaked hash. This allows full account takeover, including privileged admin accounts. The weakness is a form of information disclosure linked to CWE-598.

Affected Systems

The affected product is WWBN AVideo, an open source video hosting platform. Versions up to and including 29.0 contain the flaw. The issue resides specifically in the MobileManager oauth2.php script. The fix has already been committed (977cd6930a97571a26da4239e25c8096dd4ecbc1), so any deployment running version 29.0 or earlier is affected.

Risk and Exploitability

The CVSS score is 6.8, indicating a medium severity security flaw. No EPSS score is publicly available, and the vulnerability is not in the CISA KEV catalog. The attack vector typically requires the attacker to gather the redirect URL, which may be accomplished by inspecting server logs, intercepting traffic on a shared network, or tampering with lossless referrer data. Once the hash is captured, the attacker can perform a credential pass‑through attack by sending the hash value to the platform’s JSON login endpoint with the encodedPass flag, achieving full unauthorized access to the victim’s account. The impact is strong authentication bypass leading to potentially complete system compromise if privileged accounts are taken over.

Generated by OpenCVE AI on May 11, 2026 at 22:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch that removes the password hash from the OAuth redirect URL, as referenced in the commit link (977cd6930a97571a26da4239e25c8096dd4ecbc1).
  • Force a password reset for all users whose accounts may have been exposed, and consider disabling or restricting OAuth login until the fix is deployed.
  • Review and secure server logs and referrer data to prevent future leakage of sensitive information, and monitor for any anomalous authentication attempts that use leaked hashes.

Generated by OpenCVE AI on May 11, 2026 at 22:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5w8w-26ch-v5cw AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover
History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/MobileManager/oauth2.php completes an OAuth login by sending an HTTP 302 Location: oauth2Success.php?user=<email>&pass=<HASH> where <HASH> is the victim's stored password hash (md5(hash("whirlpool", sha1(password)))) read directly from the users table. AVideo's own login endpoint (objects/login.json.php) accepts an encodedPass=1 flag that bypasses hashing and performs a direct string comparison between the supplied value and the stored hash. Anyone who captures the redirect URL — via server logs, referrer leakage, or browser history — therefore obtains a credential equivalent to the plaintext password and can fully take over the account, including admin accounts. Commit 977cd6930a97571a26da4239e25c8096dd4ecbc1 contains an updated fix.
Title WWBN AVideo: Password Hash Leaked in MobileManager OAuth Redirect URL Enables Account Takeover
Weaknesses CWE-598
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:24:29.981Z

Reserved: 2026-05-04T15:17:09.329Z

Link: CVE-2026-43875

cve-icon Vulnrichment

Updated: 2026-05-12T13:24:26.326Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T22:22:11.843

Modified: 2026-05-12T14:50:18.527

Link: CVE-2026-43875

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:00:19Z

Weaknesses