CVE-2026-33488
Published: 23 March 2026
Summary
CVE-2026-33488 is a high-severity Inadequate Encryption Strength (CWE-326) vulnerability in Wwbn Avideo. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-13 (Cryptographic Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires implementation of cryptographic protections with adequate key strengths to prevent factoring attacks on the 512-bit RSA keys used in the PGP 2FA system.
Mandates proper cryptographic key establishment and management, directly addressing the generation of factorable 512-bit RSA keys in the createKeys() function.
Requires timely identification, reporting, and correction of flaws, including patching the weak key generation and unauthenticated endpoints via the provided commit.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing AVideo web app directly enables remote unauthenticated exploitation (T1190); unauthenticated CPU-intensive endpoints facilitate resource exhaustion/DoS (T1499). Weak key bypass of 2FA leads to account access but maps only indirectly.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains…
more
a target user's public key can factor the 512-bit RSA modulus on commodity hardware in hours, derive the complete private key, and decrypt any PGP 2FA challenge issued by the system — completely bypassing the second authentication factor. Additionally, the `generateKeys.json.php` and `encryptMessage.json.php` endpoints lack any authentication checks, exposing CPU-intensive key generation to anonymous users. Commit 00d979d87f8182095c8150609153a43f834e351e contains a patch.
Deeper analysisAI
CVE-2026-33488 affects WWBN AVideo, an open source video platform, in versions up to and including 26.0. The core issue lies in the LoginControl plugin's PGP 2FA system, where the createKeys() function generates 512-bit RSA keys, which have been publicly factorable since 1999 due to their inadequate size. This weakness allows the RSA modulus to be broken on commodity hardware. Additionally, the generateKeys.json.php and encryptMessage.json.php endpoints perform CPU-intensive operations without any authentication checks, exposing them to abuse by anonymous users.
Remote unauthenticated attackers (PR:N) can exploit this over the network (AV:N), though it requires high attack complexity (AC:H). By obtaining a target user's public key, an attacker can factor the modulus in hours, derive the full private key, and decrypt any PGP 2FA challenge, completely bypassing the second authentication factor and potentially gaining unauthorized account access (C:H/I:H). The exposed endpoints also enable resource exhaustion attacks, such as denial of service via repeated key generation requests. The vulnerability carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-326 (Inadequate Encryption Strength).
Mitigation is available via commit 00d979d87f8182095c8150609153a43f834e351e, which patches the weak key generation and addresses the unauthenticated endpoints. The GitHub security advisory GHSA-6m5f-j7w2-w953 provides further details on the issue and remediation steps. Security practitioners should urge AVideo administrators to apply this patch promptly.
Details
- CWE(s)