CVE-2026-43873
Received Received - Intake
Information Disclosure in WWBN AVideo

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone->myKey, a constant md5($global['systemRootPath'] . $global['salt'])) into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers without a valid key, but the rejection message interpolates the expected key before die(). When the victim has CloneSite configured with a remote cloneSiteURL (standard federation/backup setup), the leaked myKey is exactly the credential that authenticates the victim to that remote server's cloneServer.json.php, allowing the attacker to impersonate the victim and trigger a full mysqldump of the remote's database to the remote's public videos/clones/ directory Commit e6566f56a28f4556b2a0a09d03717a719dcb49da contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-43873
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo 29.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in WWBN AVideo, an open source video platform, in versions up to and including 29.0. The issue is in the plugin/CloneSite/cloneClient.json.php file, which unintentionally exposes the local CloneSite shared secret (myKey) in the HTTP response body on every unauthenticated request. This shared secret is a constant derived from system paths and salts. Although the code was intended to reject unauthorized access, it leaks this secret in the error message before terminating the request.

If the victim has CloneSite configured with a remote cloneSiteURL (a common setup for federation or backup), the leaked myKey acts as a credential that allows an attacker to authenticate to the remote server's cloneServer.json.php. This enables the attacker to impersonate the victim and trigger a full mysqldump of the remote server's database, which is then stored in the remote server's public videos/clones/ directory.

Impact Analysis

This vulnerability can have serious impacts including unauthorized disclosure of sensitive data. An attacker can obtain the shared secret key without authentication, allowing them to impersonate the victim on a remote CloneSite server.

By exploiting this, the attacker can trigger a full database dump (mysqldump) of the remote server, exposing potentially sensitive information stored in the database. This data is then publicly accessible in the remote server's videos/clones/ directory, leading to data leakage and potential compromise of user privacy and system integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart