CVE-2026-43875
Received Received - Intake
OAuth Login Credential Exposure in WWBN AVideo

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/MobileManager/oauth2.php completes an OAuth login by sending an HTTP 302 Location: oauth2Success.php?user=<email>&pass=<HASH> where <HASH> is the victim's stored password hash (md5(hash("whirlpool", sha1(password)))) read directly from the users table. AVideo's own login endpoint (objects/login.json.php) accepts an encodedPass=1 flag that bypasses hashing and performs a direct string comparison between the supplied value and the stored hash. Anyone who captures the redirect URL β€” via server logs, referrer leakage, or browser history β€” therefore obtains a credential equivalent to the plaintext password and can fully take over the account, including admin accounts. Commit 977cd6930a97571a26da4239e25c8096dd4ecbc1 contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-43875
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-598 The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability exposes stored password hashes in URLs during OAuth login redirects, which can be captured through server logs, referrer leakage, or browser history. Such exposure can lead to full account takeover, including administrative accounts.

The leakage of sensitive authentication credentials likely violates data protection and privacy requirements found in common standards and regulations such as GDPR and HIPAA, which mandate the protection of personal and sensitive information against unauthorized access.

Therefore, this vulnerability could result in non-compliance with these regulations due to inadequate protection of user credentials and potential unauthorized access to personal data.

Mitigation Strategies

Immediate mitigation steps include updating WWBN AVideo to a version that contains the fix (commit 977cd6930a97571a26da4239e25c8096dd4ecbc1 or later).

Until the update can be applied, avoid exposing sensitive information in URLs, especially password hashes, and restrict access to the vulnerable OAuth login endpoint.

Additionally, monitor and audit server logs and network traffic for signs of exploitation and consider resetting passwords for affected accounts.

Executive Summary

This vulnerability exists in WWBN AVideo, an open source video platform, in versions up to and including 29.0. The issue occurs in the plugin/MobileManager/oauth2.php file, which completes an OAuth login by sending an HTTP 302 redirect containing the victim's stored password hash in the URL parameters. This hash is derived from the user's password using a combination of md5, whirlpool, and sha1 hashing algorithms.

Because the login endpoint accepts a flag that bypasses hashing and compares the supplied value directly to the stored hash, anyone who captures the redirect URL (through server logs, referrer leakage, or browser history) can obtain a credential equivalent to the plaintext password. This allows full account takeover, including admin accounts.

Impact Analysis

The vulnerability allows an attacker who captures the redirect URL containing the password hash to fully take over the victim's account without needing the plaintext password.

  • Account takeover including administrative accounts.
  • Potential unauthorized access to sensitive user data and platform controls.
  • Compromise of user privacy and platform security.
Detection Guidance

This vulnerability can be detected by monitoring network traffic and server logs for HTTP 302 redirects from the plugin/MobileManager/oauth2.php endpoint that include URLs containing the parameter oauth2Success.php with user and pass query parameters. The pass parameter contains the victim's stored password hash, which should not be exposed.

Commands to detect this might include using network traffic analysis tools such as tcpdump or Wireshark to filter HTTP 302 responses containing 'oauth2Success.php' and 'pass=' in the URL.

  • tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Location: oauth2Success.php'
  • grep -r 'oauth2Success.php' /var/log/apache2/access.log
  • Use web server logs to search for URLs containing 'oauth2Success.php?user=' and 'pass=' parameters.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43875. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart