CVE-2024-48928 – Piwigo versions 14.x have a weak secret key gen... (How to Fix)

Q: What is the severity of CVE-2024-48928?

CVE-2024-48928 has a CVSS score of 7.5 (HIGH). Piwigo versions 14.x have a weak secret key generation vulnerability during installation. Attackers can brute-force the secret key in about one hour, potentially bypassing CSRF protection and generating certain tokens. This affects all Piwigo 14.x installations using MySQL database.

📋 TL;DR

Piwigo versions 14.x have a weak secret key generation vulnerability during installation. Attackers can brute-force the secret key in about one hour, potentially bypassing CSRF protection and generating certain tokens. This affects all Piwigo 14.x installations using MySQL database.

💻 Affected Systems

Products:

Piwigo

Versions: 14.x branch

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using MySQL database where secret_key was generated during installation.

📦 What is this software?

Piwigo by Piwigo

View all CVEs affecting Piwigo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass CSRF protection, potentially perform actions as authenticated users, and generate ephemeral keys when combined with other information.

🟠

Likely Case

CSRF token bypass allowing attackers to trick authenticated users into performing unintended actions via crafted requests.

🟢

If Mitigated

Limited impact due to additional protections on auto-login keys (require password) and pwg tokens (require session ID).

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Brute-force attack takes approximately one hour. Requires ability to interact with the application to test CSRF tokens.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.0.0

Vendor Advisory: https://github.com/Piwigo/Piwigo/security/advisories/GHSA-hghg-37rg-7r42

Restart Required: No

Instructions:

1. Upgrade Piwigo to version 15.0.0 or later. 2. No database migration required. 3. The fix improves secret key generation to use more secure randomness.

🔧 Temporary Workarounds

Manually regenerate secret key

all

Manually set a strong secret key in Piwigo configuration

Edit local/config/database.inc.php and set $conf['secret_key'] to a strong random value (at least 32 characters)

🧯 If You Can't Patch

Implement additional CSRF protection mechanisms at web server level
Restrict access to Piwigo installation to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Check Piwigo version in admin dashboard or by examining source files. Versions starting with 14.x are vulnerable.

Check Version:

Check Piwigo admin dashboard or examine include/version.php file for version information

Verify Fix Applied:

Verify Piwigo version is 15.0.0 or higher. Check that secret_key in configuration is not using weak generation.

📡 Detection & Monitoring

Log Indicators:

Multiple failed CSRF token validations from single IP
Unusual pattern of authentication attempts

Network Indicators:

Rapid sequential requests testing different CSRF tokens
Pattern of requests with incrementing token values

SIEM Query:

source="piwigo_logs" AND (message="CSRF token invalid" OR message="authentication failed") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-48928

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-330

Published: February 24, 2026

Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-48928, you might also want to check these: