Description
AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credentials, exposing key material to logs and enabling resource exhaustion attacks.
Published: 2026-06-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows unauthenticated attackers to submit a private key, ciphertext, and passphrase to the decryptMessage.json.php endpoint, causing the server to perform PGP decryption and return the plaintext. Because the decrypted data can be logged, this results in exposure of sensitive key material and message content. The flaw is a missing authentication weakness (CWE‑306).

Affected Systems

The issue affects AVideo by WWBN in all releases up to and including version 25.0. Any installation that has the decryptMessage.json.php file exposed is vulnerable.

Risk and Exploitability

With a CVSS score of 6.9, the vulnerability is considered medium severity. EPSS data is not provided, and the vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit the flaw by sending HTTP requests to the endpoint without credentials, immediately acquiring decrypted content and potentially exhausting server resources through repeated decryption requests.

Generated by OpenCVE AI on June 20, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to a version that removes or protects the decryptMessage.json.php endpoint, if such a release exists.
  • If an update is not available, place a firewall or access‑control rule in front of the endpoint to restrict it to trusted IP addresses or require authentication before allowing decryption requests.
  • Monitor application logs for unexpected decryption activity and rotate logs frequently to limit exposure of decrypted data.

Generated by OpenCVE AI on June 20, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Avideo
Avideo avideo
Vendors & Products Avideo
Avideo avideo

Sat, 20 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credentials, exposing key material to logs and enabling resource exhaustion attacks.
Title AVideo - Unauthenticated PGP Message Decryption via decryptMessage.json.php Endpoint
First Time appeared Wwbn
Wwbn avideo
Weaknesses CWE-306
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Vendors & Products Wwbn
Wwbn avideo
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-08T19:42:52.437Z

Reserved: 2026-06-20T18:13:07.363Z

Link: CVE-2026-56346

cve-icon Vulnrichment

Updated: 2026-06-22T12:41:56.740Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:03:59Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function