Authentication Bypass in AVideo by WWBN
CVE-2026-56346

6.9MEDIUM

Key Information:

Vendor: Avideo
Status: Avideo
Vendor: CVE Published:; 20 June 2026

What is CVE-2026-56346?

The AVideo platform prior to version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint. This flaw enables unauthenticated users to decrypt PGP messages by submitting private keys, ciphertext, and passphrases directly to the server. As a result, remote attackers can exploit this vulnerability to execute server-side decryption without the need for credentials. This not only exposes sensitive key material potentially logged by the server but also makes the system vulnerable to resource exhaustion attacks, jeopardizing user data integrity and server performance.

Affected Version(s)

AVideo 0 <= 25.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-5...

vendor-advisory

https://www.vulncheck.com/advisories/avideo-unauthenticat...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

fg0x0

CVE-2026-56346 Data

JSON

Avideo

What is CVE-2026-56346?

Affected Version(s)

References

CVSS V4

Timeline

Credit