WWBN AVideo CVE-2026-43873: Shared Secret Leak Exposes Databases

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-209
WWBN AVideo CVE-2026-43873: Shared Secret Leak Exposes Databases

The National Vulnerability Database has disclosed CVE-2026-43873, a high-severity vulnerability affecting WWBN AVideo, an open-source video platform. Versions up to and including 29.0 are impacted. The flaw resides in plugin/CloneSite/cloneClient.json.php, which inadvertently echoes the local CloneSite shared secret ($objClone->myKey) into HTTP response bodies for unauthenticated requests.

This isn’t just an information leak; it’s a critical authentication bypass. When AVideo is configured with a remote cloneSiteURL for federation or backup, this leaked myKey is precisely the credential used to authenticate to the remote server’s cloneServer.json.php. An attacker can leverage this to impersonate the victim’s AVideo instance, triggering a full mysqldump of the remote database directly into the remote server’s publicly accessible videos/clones/ directory. This is a complete database compromise, not just a configuration leak.

The National Vulnerability Database reports a CVSS v3.1 score of 7.5 (HIGH), citing the network attack vector and high confidentiality impact. A fix is available in commit e6566f56a28f4556b2a0a09d03717a719dcb49da. Defenders running AVideo must prioritize patching immediately, especially if utilizing the CloneSite feature with remote instances. The attacker’s calculus here is straightforward: unauthenticated request, secret disclosed, full database access.

What This Means For You

  • If your organization uses WWBN AVideo, especially with the `CloneSite` federation or backup feature, you are directly exposed to full database compromise. Immediately verify your AVideo version. If it's up to and including 29.0, patch to the latest version or apply the fix from commit `e6566f56a28f4556b2a0a09d03717a719dcb49da`. After patching, assume the shared secret has been compromised and rotate any associated credentials or keys. Audit your `videos/clones/` directory for any unauthorized `mysqldump` files.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Persistence T1539 Steal Application Access Token Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

AVideo CloneSite Shared Secret Leak - CVE-2026-43873

Sigma YAML — free preview 
title: AVideo CloneSite Shared Secret Leak - CVE-2026-43873
id: scw-2026-05-11-ai-1
status: experimental
level: high
description: |
  Detects the specific unauthenticated request to cloneClient.json.php that leaks the CloneSite shared secret in the HTTP response body, as described in CVE-2026-43873. This leak allows attackers to obtain credentials for remote clone site authentication.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-43873/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      uri|contains:
          - '/plugin/CloneSite/cloneClient.json.php'
      cs-uri-query|contains:
          - 'cloneKey=' 
      sc-status|exact:
          - 200
  selection_base:
      uri|contains:
          - '/plugin/CloneSite/cloneClient.json.php'
  selection_error:
      cs-uri-query|contains:
          - 'cloneKey='
      sc-status|exact:
          - 500
  condition: selection_base AND selection_error
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-43873 Information Disclosure WWBN AVideo versions up to and including 29.0
CVE-2026-43873 Information Disclosure plugin/CloneSite/cloneClient.json.php leaks $objClone->myKey (md5($global['systemRootPath'] . $global['salt']))
CVE-2026-43873 Auth Bypass Impersonation of victim to remote cloneServer.json.php using leaked myKey
CVE-2026-43873 Information Disclosure Remote database mysqldump to public videos/clones/ directory

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 12, 2026 at 01:22 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8345 — D-Link DIR-816 1.10CNB05_R1B011D88210 Command Injection

CVE-2026-8345 — A security vulnerability has been detected in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this issue is the function sub_445E7C of the file /goform/singlePortForward. Such...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 5 Sigma

Vaultwarden CVE-2026-43914: Brute-Force Bypass via 2FA Email

CVE-2026-43914 — Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login...

vulnerabilityCVEhigh-severitycwe-307
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

Vaultwarden CVE-2026-43913: Unconfirmed Owners Can Purge Vaults

CVE-2026-43913 — Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault....

vulnerabilityCVEhigh-severitycwe-863
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 3 Sigma