CVE-2026-45610 WWBN CVE debrief

Who should care

Organizations running WWBN AVideo 29.0 or earlier; security teams responsible for application authentication controls; developers maintaining AVideo deployments.

Technical summary

The plugin/LoginControl/set.json.php endpoint in AVideo 29.0 and earlier processes POST requests to disable 2FA without CSRF token validation, SameSite enforcement, or re-authentication. The endpoint accepts parameters type=set2FA and value=false, then calls LoginControl::setUser2FA(User::getId(), false) on the session-authenticated user. No forbidIfIsUntrustedRequest(), isTokenValid(), or equivalent anti-CSRF mechanism is present. An attacker can exploit this by inducing a logged-in victim to visit a malicious page that submits the forged request, resulting in complete 2FA bypass for subsequent attacks.

Defensive priority

high

Recommended defensive actions

• Upgrade to a patched version of WWBN AVideo when available from the vendor.
• Implement CSRF token validation on all state-changing endpoints, particularly those affecting authentication security controls.
• Apply SameSite cookie attributes to session cookies to mitigate cross-origin request risks.
• Require re-authentication before allowing changes to 2FA settings.
• Review access logs for unexpected POST requests to plugin/LoginControl/set.json.php with type=set2FA and value=false.
• Monitor for subsequent authentication anomalies or account takeover attempts following potential 2FA disablement.

Evidence notes

The NVD record cites GitHub Security Advisory GHSA-3mv2-vmwh-rwfx as the authoritative source. The advisory describes the vulnerable endpoint and the absence of CSRF protections. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N. CWE-352 (CSRF) and CWE-306 (Missing Authentication for Critical Function) are identified.

Official resources