CVE-2026-45610: CWE-306: Missing Authentication for Critical Function in WWBN AVideo
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FA(User::getId(), false) on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest() call, no isTokenValid() check, no X-CSRF-Token/SameSite enforcement, and no re-authentication step. A cross-origin page that the victim visits while logged into the AVideo dashboard issues the POST via a hidden form (or fetch without credentials:"omit") and disables the victim's 2FA in one request.
AI Analysis
Technical Summary
CVE-2026-45610 describes a missing authentication control vulnerability (CWE-306) combined with a CSRF weakness (CWE-352) in WWBN AVideo versions up to 29.0. The plugin/LoginControl/set.json.php endpoint accepts POST requests to toggle 2FA without verifying the request's authenticity via CSRF tokens or other mechanisms. This allows a cross-origin attacker to disable 2FA for an authenticated user by issuing a crafted POST request from a malicious site, exploiting the lack of forbidIfIsUntrustedRequest() and isTokenValid() checks. The vulnerability impacts the integrity of user account security by enabling forced 2FA deactivation.
Potential Impact
The vulnerability allows an attacker to disable two-factor authentication for a victim's account without their knowledge or consent. This reduces the security protections on the victim's account, potentially increasing the risk of account compromise if other credentials are exposed. The confidentiality and availability of the system are not directly affected. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should be cautious about visiting untrusted websites while logged into the AVideo dashboard. Implementing manual mitigations such as restricting cross-origin POST requests or adding custom CSRF protections may help reduce risk. Monitor official WWBN communications for updates or patches addressing this issue.
CVE-2026-45610: CWE-306: Missing Authentication for Critical Function in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FA(User::getId(), false) on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest() call, no isTokenValid() check, no X-CSRF-Token/SameSite enforcement, and no re-authentication step. A cross-origin page that the victim visits while logged into the AVideo dashboard issues the POST via a hidden form (or fetch without credentials:"omit") and disables the victim's 2FA in one request.
CVSS v3.1
Score 5.7medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-45610 describes a missing authentication control vulnerability (CWE-306) combined with a CSRF weakness (CWE-352) in WWBN AVideo versions up to 29.0. The plugin/LoginControl/set.json.php endpoint accepts POST requests to toggle 2FA without verifying the request's authenticity via CSRF tokens or other mechanisms. This allows a cross-origin attacker to disable 2FA for an authenticated user by issuing a crafted POST request from a malicious site, exploiting the lack of forbidIfIsUntrustedRequest() and isTokenValid() checks. The vulnerability impacts the integrity of user account security by enabling forced 2FA deactivation.
Potential Impact
The vulnerability allows an attacker to disable two-factor authentication for a victim's account without their knowledge or consent. This reduces the security protections on the victim's account, potentially increasing the risk of account compromise if other credentials are exposed. The confidentiality and availability of the system are not directly affected. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should be cautious about visiting untrusted websites while logged into the AVideo dashboard. Implementing manual mitigations such as restricting cross-origin POST requests or adding custom CSRF protections may help reduce risk. Monitor official WWBN communications for updates or patches addressing this issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-12T20:31:43.448Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a19993ae29bf47b50eaf575
Added to database: 5/29/2026, 1:48:42 PM
Last enriched: 5/29/2026, 2:05:23 PM
Last updated: 5/31/2026, 4:55:21 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.