CVE-2026-33488

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 26.1

Description The createKeys() function within the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which are easily factorable with modern hardware. An attacker obtaining a user's public key can derive the corresponding private key and bypass the second authentication factor. The generateKeys.json.php and encryptMessage.json.php endpoints lack authentication checks, allowing anonymous users to trigger CPU-intensive key generation, potentially leading to denial-of-service. The vulnerability resides in the plugin/LoginControl/pgp/functions.php file, specifically at line 26, where the RSA::createKey(512) function is called. This code was copied from example code not intended for production use. The issue affects all users who enabled PGP 2FA using the application's built-in key generator. The unauthenticated endpoints affect all deployments with the LoginControl plugin. An attacker can obtain the target user's 512-bit public key, extract the RSA modulus, factor the modulus using tools like CADO-NFS or msieve, reconstruct the private key, decrypt the 2FA challenge, and submit the decrypted value to bypass 2FA.

Recommendations Versions prior to 26.1: Increase the RSA key size to a minimum of 2048 bits in plugin/LoginControl/pgp/functions.php. Versions prior to 26.1: Add authentication to the generateKeys.json.php endpoint, mirroring the pattern used in decryptMessage.json.php. Versions prior to 26.1: Add authentication to the encryptMessage.json.php endpoint, mirroring the pattern used in decryptMessage.json.php. Versions prior to 26.1: Implement minimum key size validation in savePublicKey.json.php to reject keys smaller than 2048 bits.