CVE-2026-33354 Overview
CVE-2026-33354 is a Path Traversal vulnerability affecting WWBN AVideo, an open source video platform. The vulnerability exists in the POST /objects/aVideoEncoder.json.php endpoint, which accepts a user-controlled chunkFile parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass the isValidURLOrPath() validation function. This weak validation allows files under broad server directories including /var/www/, the application root, cache, tmp, and videos directories, only rejecting .php files.
For an authenticated uploader editing their own video, this vulnerability enables arbitrary local file read. The endpoint copies the attacker-chosen local file into the attacker's public video storage path, after which it can be downloaded over HTTP, resulting in sensitive information disclosure.
Critical Impact
Authenticated attackers can read arbitrary files from the server filesystem (excluding .php files) by manipulating the chunkFile parameter, potentially exposing configuration files, database credentials, and other sensitive data.
Affected Products
- WWBN AVideo versions up to and including 26.0
Discovery Timeline
- 2026-03-23 - CVE-2026-33354 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33354
Vulnerability Analysis
The vulnerability stems from insufficient input validation in the video encoding endpoint. When processing staged upload chunks, the application relies on a helper function isValidURLOrPath() that was designed to be permissive rather than restrictive. This function allows any path under /var/www/, the application root, cache directories, temporary directories, and the videos folder, with the only protection being a rejection of .php files.
The original code attempted to prevent path traversal attacks using a simple str_replace('../', '') approach, which is trivially bypassable using variations like ....// that collapse to ../ after the replacement. Combined with the overly broad path validation, this creates a significant information disclosure vulnerability.
An authenticated user with video upload permissions can specify a path to any sensitive file on the server (such as /var/www/config/database.php minus the PHP extension restriction, or configuration files, environment files, and other sensitive data). The application then copies this file to the user's public video storage directory, making it accessible for download.
Root Cause
The root cause of this vulnerability is twofold: inadequate path sanitization using bypassable string replacement (str_replace('../', '')) and an overly permissive path validation function (isValidURLOrPath()) that allows access to broad server directories rather than restricting file access to legitimate chunk storage locations only.
Attack Vector
The attack vector is network-based and requires low-privilege authentication (an account capable of uploading videos). The attacker exploits the vulnerability by:
- Authenticating to the AVideo platform as a user with upload privileges
- Initiating a video edit request
- Manipulating the chunkFile POST parameter to reference a target file on the filesystem
- Using path traversal techniques (e.g., ....// sequences) to bypass the basic sanitization
- The application copies the target file to the attacker's public storage path
- Downloading the sensitive file via HTTP from the public video storage location
// Vulnerable code pattern (before patch)
} else {
$obj->lines[] = __LINE__;
}
$_REQUEST['chunkFile'] = str_replace('../', '', $_REQUEST['chunkFile']);
if (empty($_FILES['video']['tmp_name']) && isValidURLOrPath($_REQUEST['chunkFile'])) {
$obj->lines[] = __LINE__;
$_FILES['video']['tmp_name'] = $_REQUEST['chunkFile'];
// Patched code - implements strict allowlist validation
// SECURITY: Validate chunkFile against a strict allowlist of temp directories only.
// The old str_replace('../', '') path-traversal guard was bypassable (e.g. '....//'),
// and isValidURLOrPath() was too broad — it allowed any path under /var/www/, the
// application root, and the videos directory, enabling arbitrary local file read for
// any authenticated uploader. We now use realpath() to canonicalise the path and
// verify it is rooted inside getTmpDir() or sys_get_temp_dir() only.
if (empty($_FILES['video']['tmp_name']) && !empty($_REQUEST['chunkFile'])) {
$resolvedChunkFile = realpath($_REQUEST['chunkFile']);
if ($resolvedChunkFile !== false) {
$allowedChunkDirs = array_filter(array_unique([
realpath(getTmpDir()),
realpath(sys_get_temp_dir()),
]));
$chunkAllowed = false;
foreach ($allowedChunkDirs as $allowedDir) {
// Use DIRECTORY_SEPARATOR so '/tmp' cannot match '/tmpfoo'
if (str_starts_with($resolvedChunkFile, $allowedDir . DIRECTORY_SEPARATOR) ||
$resolvedChunkFile === $allowedDir) {
$chunkAllowed = true;
break;
}
}
if ($chunkAllowed) {
Source: GitHub Commit 59bbd601
Detection Methods for CVE-2026-33354
Indicators of Compromise
- Unusual POST requests to /objects/aVideoEncoder.json.php containing path traversal sequences in the chunkFile parameter
- Log entries showing attempts to access sensitive files outside expected chunk directories
- Unexpected files appearing in user video storage directories that match system configuration or credential file formats
Detection Strategies
- Monitor web server access logs for requests to aVideoEncoder.json.php with suspicious chunkFile parameter values containing ../, ....//, or absolute paths
- Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns in POST parameters
- Review application logs for file operations involving paths outside of designated temporary upload directories
Monitoring Recommendations
- Enable detailed logging for the video encoding endpoint to capture all chunkFile parameter values
- Set up alerts for any requests containing path traversal sequences targeting the vulnerable endpoint
- Monitor file system access patterns for the web application user to detect reads from sensitive directories
How to Mitigate CVE-2026-33354
Immediate Actions Required
- Update WWBN AVideo to a version containing commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f or later
- Review web server logs for evidence of exploitation attempts targeting the chunkFile parameter
- Audit user video storage directories for any unexpected or suspicious files that may indicate prior exploitation
- Consider restricting upload privileges to trusted users until the patch is applied
Patch Information
The vulnerability has been addressed in commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f. The fix implements a strict allowlist approach using realpath() to canonicalize paths and verify they are rooted inside getTmpDir() or sys_get_temp_dir() only. This replaces the bypassable string replacement approach with proper path validation.
For more details, see the GitHub Security Advisory GHSA-4jw9-5hrc-m4j6 and the patch commit.
Workarounds
- Restrict network access to the AVideo application to trusted users only until patching is complete
- Implement WAF rules to block requests containing path traversal patterns in the chunkFile parameter
- Temporarily disable video upload functionality if it is not business-critical
# Example WAF rule concept for blocking path traversal in chunkFile parameter
# This is a general pattern - adapt to your specific WAF solution
# Block requests containing path traversal sequences
# Pattern matches: ../, ....// and similar evasion techniques
SecRule ARGS:chunkFile "@rx (\.\./|\.\.\\|%2e%2e%2f|%2e%2e/|\.%2e/|%2e\.)" \
"id:100001,phase:2,deny,status:403,msg:'Path Traversal Attempt in chunkFile'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
