CVE-2026-45610
Analyzed Analyzed - Analysis Complete
Cross-Site Request Forgery in WWBN AVideo 2FA Toggle

Publication date: 2026-05-29

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FA(User::getId(), false) on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest() call, no isTokenValid() check, no X-CSRF-Token/SameSite enforcement, and no re-authentication step. A cross-origin page that the victim visits while logged into the AVideo dashboard issues the POST via a hidden form (or fetch without credentials:"omit") and disables the victim's 2FA in one request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45610
EUVD
EUVD-2026-33309
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to silently disable two-factor authentication (2FA) on a victim's account without their consent, which significantly weakens account security.

Disabling 2FA can lead to unauthorized access and potential full account compromise, increasing the risk of data breaches.

Such unauthorized access and potential data breaches could result in non-compliance with security requirements mandated by common standards and regulations like GDPR and HIPAA, which require appropriate safeguards to protect personal and sensitive data.

Executive Summary

CVE-2026-45610 is a Cross-Site Request Forgery (CSRF) vulnerability in the WWBN AVideo platform's LoginControl plugin. Specifically, the vulnerability exists in the endpoint that toggles two-factor authentication (2FA) for users. This endpoint does not have proper CSRF protections, such as token validation or re-authentication steps.

An attacker can exploit this by tricking a logged-in user into visiting a malicious webpage that silently sends a POST request to disable the victim's 2FA without their knowledge or consent.

The attack requires the victim to be logged into the AVideo dashboard, and it works because the session cookie is sent with the request due to the SameSite attribute being set to Lax. The vulnerability arises from missing CSRF checks and lack of additional authentication when disabling 2FA.

Impact Analysis

This vulnerability can have a significant impact by allowing an attacker to silently disable two-factor authentication (2FA) on a victim's account.

Disabling 2FA reduces the security of the account, making it easier for attackers to gain full access, especially if combined with other attacks like credential stuffing or phishing.

Once 2FA is disabled, the attacker can potentially compromise the victim's account integrity without the victim's knowledge, leading to unauthorized access and possible misuse of the account.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the endpoint plugin/LoginControl/set.json.php with the parameter type=set2FA and value=false. Such requests indicate attempts to disable 2FA without proper authorization.

Network detection can involve capturing HTTP traffic and filtering for POST requests targeting the set2FA toggle endpoint.

  • Use tools like tcpdump or Wireshark to capture HTTP POST requests to plugin/LoginControl/set.json.php.
  • Example tcpdump command: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep 'POST /plugin/LoginControl/set.json.php'
  • Use web server logs to search for POST requests with parameters type=set2FA and value=false.
  • Example grep command on access logs: grep 'POST /plugin/LoginControl/set.json.php' /var/log/apache2/access.log | grep 'type=set2FA' | grep 'value=false'
Mitigation Strategies

Immediate mitigation steps include implementing CSRF protection on the vulnerable endpoint to prevent unauthorized POST requests.

Specifically, add checks such as forbidIfIsUntrustedRequest(), validate CSRF tokens, and enforce SameSite cookie attributes properly.

Additionally, require step-up authentication (e.g., re-entering password or current 2FA code) before allowing 2FA to be disabled.

Until a patch is applied, consider restricting access to the affected endpoint or monitoring and blocking suspicious POST requests.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45610. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart