CVE-2026-33041
Information Disclosure in WWBN AVideo Password Hash Endpoint
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33041 is a vulnerability in WWBN AVideo versions 25.0 and below where the endpoint /objects/encryptPass.json.php allows any unauthenticated user to submit arbitrary passwords and receive their hashed equivalents.'}, {'type': 'paragraph', 'content': "This exposure reveals the application's password hashing algorithm, which uses a weak hash chain (md5+whirlpool+sha1) without salting by default, making the hash output predictable and identical to stored database hashes."}, {'type': 'paragraph', 'content': 'Attackers can use this endpoint as a password hash oracle to generate hashes for candidate passwords, enabling efficient offline password cracking if they obtain password hashes from the database through other means such as SQL injection or backup exposure.'}, {'type': 'paragraph', 'content': 'This vulnerability eliminates the need for attackers to reverse-engineer the hashing algorithm, significantly aiding in rapid password cracking.'}] [2]
How can this vulnerability impact me? :
If an attacker obtains password hashes from your database, they can use the exposed endpoint to quickly generate matching hashes for guessed passwords, allowing them to crack user passwords offline very efficiently.
This can lead to unauthorized access to user accounts, potentially compromising sensitive user data and the integrity of your system.
Because the hashing algorithm is weak and unsalted by default, attackers can build rainbow tables or precomputed hash lists to accelerate brute force attacks.
Overall, this vulnerability increases the risk of credential compromise and unauthorized access without requiring the attacker to have any privileges or authentication.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the endpoint `/objects/encryptPass.json.php` is accessible without authentication and responds to arbitrary password inputs with hashed equivalents.'}, {'type': 'paragraph', 'content': 'You can use commands like curl to test this endpoint from your network or system:'}, {'type': 'list_item', 'content': "curl -X POST -d 'password=test' https://your-avideo-instance/objects/encryptPass.json.php"}, {'type': 'list_item', 'content': 'If the response returns a hashed password without requiring authentication, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring for excessive requests to this endpoint (more than 20 calls per 5 minutes from the same IP) can indicate attempts to exploit the vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the `/objects/encryptPass.json.php` endpoint by enforcing authentication and rate limiting.
- Implement rate limiting to allow a maximum of 20 calls per 5 minutes per IP address to prevent abuse.
- Require authentication for access to the endpoint, either via an authenticated admin session or a valid server-to-server HMAC token.
- Ensure that the plaintext password is not returned in the response to avoid information disclosure.
Upgrading to version 26.0 or later of WWBN AVideo, where these protections are implemented, is recommended to fully address the vulnerability.