CVE-2024-48928
Published: 24 February 2026
Summary
CVE-2024-48928 is a low-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Piwigo Piwigo. Its CVSS base score is 2.7 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-48928 is a vulnerability in Piwigo, an open source photo gallery application for the web, affecting versions on the 14.x branch. During installation, the secret_key configuration parameter is generated as the MD5 hash of MySQL's RAND() function, which provides only 30 bits of randomness. This low entropy makes the secret key feasible to brute-force, as classified under CWE-330 (Use of Insufficiently Random Values). The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact accessible over the network without authentication.
Any remote attacker can exploit this by brute-forcing all possible secret key values, a process that takes approximately one hour, using the CSRF token—which is partially constructed from the secret key—to verify success. Knowledge of the secret key enables generation of values for get_ephemeral_key. However, overall impact is limited, as the auto login key additionally incorporates the user's password atop the secret key, and the pwg token uses the user's session identifier in conjunction with it.
Piwigo version 15.0.0 addresses the issue with a fix. Additional details are available in the GitHub security advisory at https://github.com/Piwigo/Piwigo/security/advisories/GHSA-hghg-37rg-7r42 and the patching commit at https://github.com/Piwigo/Piwigo/commit/552499e0533ce54b55f4304b41ca6cd7ccce51f8.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-55453
Vulnerability details
Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND() only has 30 bits of randomness, making it feasible…
more
to brute-force the secret key. The CSRF token is constructed partially from the secret key, and this can be used to check if the brute force succeeded. Trying all possible values takes approximately one hour. The impact of this is limited. The auto login key uses the user's password on top of the secret key. The pwg token uses the user's session identifier on top of the secret key. It seems that values for get_ephemeral_key can be generated when one knows the secret key. Version 15.0.0 contains a fix for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables brute-force of the low-entropy secret_key (used in CSRF tokens and ephemeral keys) due to insufficient randomness in generation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires cryptographic keys, such as the application's secret_key, to be generated and managed with sufficient randomness and strength to resist brute-force attacks.
Mandates timely flaw remediation, including patching Piwigo to version 15.0.0, which fixes the low-entropy MD5(RAND()) secret_key generation.
Ensures mechanisms for session authenticity, like CSRF tokens derived from the secret_key, employ cryptographically sound protections against prediction or forgery.