WWBN AVideo, an open-source video platform, suffers from a cryptographic weakness in its LoginControl plugin's PGP-based two-factor authentication (2FA) system in versions up to and including 26.0. The vulnerability arises because the `createKeys()` function generates RSA keys with a 512-bit modulus, which is cryptographically insecure and has been publicly factorable since 1999. An attacker who obtains a user's public key can factor the 512-bit RSA modulus using commodity hardware within hours, thereby recovering the private key. With the private key, the attacker can decrypt PGP 2FA challenges issued by the system, effectively bypassing the second factor of authentication and compromising account security. Furthermore, the `generateKeys.json.php` and `encryptMessage.json.php` endpoints do not enforce authentication, allowing anonymous users to trigger CPU-intensive key generation operations. This could lead to denial-of-service conditions through resource exhaustion. The vulnerability is tracked as CVE-2026-33488 with a CVSS v3.1 score of 7.4 (high severity), reflecting its impact on confidentiality and integrity without affecting availability directly. A patch has been committed (commit 00d979d87f8182095c8150609153a43f834e351e) to address these issues by strengthening encryption and adding authentication checks to the endpoints.

The primary impact of this vulnerability is the compromise of the two-factor authentication mechanism, allowing attackers to bypass the second factor and gain unauthorized access to user accounts. This undermines the confidentiality and integrity of user sessions and potentially sensitive video content or administrative controls within the AVideo platform. The unauthenticated access to CPU-intensive endpoints also exposes the platform to denial-of-service attacks, which could degrade service availability. Organizations relying on AVideo for video hosting or streaming may face account takeovers, unauthorized content access, and service disruptions. This could lead to data breaches, loss of user trust, and operational downtime. Given the ease of factoring 512-bit RSA keys with modern commodity hardware, the vulnerability is exploitable without advanced resources, increasing the risk of exploitation. While no known exploits are reported in the wild yet, the public availability of the weakness and patch details may prompt attackers to develop exploits rapidly.

Organizations should immediately upgrade WWBN AVideo to a version that includes the patch addressing CVE-2026-33488 or apply the patch from commit 00d979d87f8182095c8150609153a43f834e351e if available. The RSA key size used in the PGP 2FA system must be increased to at least 2048 bits to ensure cryptographic strength against factoring attacks. Additionally, authentication checks must be enforced on the `generateKeys.json.php` and `encryptMessage.json.php` endpoints to prevent anonymous users from abusing CPU-intensive operations. Monitoring and rate-limiting requests to these endpoints can further mitigate denial-of-service risks. Organizations should audit their user accounts for suspicious activity indicative of 2FA bypass attempts and consider resetting keys or forcing 2FA re-enrollment post-patch. Implementing network-level protections such as web application firewalls (WAFs) to detect anomalous traffic patterns targeting these endpoints can provide additional defense. Finally, educating users about the importance of strong 2FA methods and timely software updates is essential to reduce exposure.