CVE-2026-34733 Overview
WWBN AVideo is an open source video platform. A critical PHP operator precedence bug exists in the installation script install/deleteSystemdPrivate.php that allows unauthenticated remote attackers to bypass CLI-only access controls. The vulnerability stems from incorrect operator precedence in the access guard condition, enabling HTTP-based exploitation that can delete files from the server's temp directory while simultaneously disclosing the temp directory contents in the response.
Critical Impact
Unauthenticated attackers can remotely delete server files and obtain sensitive directory information through a simple HTTP request, potentially leading to data loss and information disclosure.
Affected Products
- WWBN AVideo versions 26.0 and prior
- All installations with the install/deleteSystemdPrivate.php script accessible via web
Discovery Timeline
- 2026-03-31 - CVE-2026-34733 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34733
Vulnerability Analysis
The vulnerability exists in the deleteSystemdPrivate.php script, which is part of the AVideo installation process. The script was intended to be executable only from the command line interface (CLI), protecting server administration functions from web-based access. However, a fundamental PHP operator precedence error in the access guard condition renders this protection completely ineffective.
The problematic guard condition !php_sapi_name() === 'cli' is evaluated incorrectly due to PHP's operator precedence rules. The logical NOT operator (!) has higher precedence than the strict comparison operator (===), causing the expression to be evaluated as (!php_sapi_name()) === 'cli' rather than the intended !(php_sapi_name() === 'cli').
Root Cause
The root cause is a classic PHP operator precedence bug (CWE-284: Improper Access Control). When PHP evaluates !php_sapi_name() === 'cli':
- First, php_sapi_name() returns the Server API type (e.g., 'apache2handler' for Apache, 'cli' for command line)
- The ! operator is applied first, converting the non-empty string to false
- Finally, false === 'cli' is evaluated, which always returns false
- Since the condition is always false, the die() statement never executes, allowing HTTP access
The correct implementation should use parentheses to ensure proper evaluation order: !(php_sapi_name() === 'cli') or equivalently php_sapi_name() !== 'cli'.
Attack Vector
The attack can be executed remotely over the network without any authentication or user interaction. An attacker simply needs to send an HTTP request to the vulnerable script endpoint at install/deleteSystemdPrivate.php. Upon access, the script:
- Processes the request as if it were a legitimate CLI invocation
- Deletes files from the server's temporary directory
- Returns the contents of the temp directory in the HTTP response, disclosing potentially sensitive information
The vulnerability is particularly dangerous because it combines file deletion capabilities with information disclosure, allowing attackers to enumerate server directory structures while simultaneously causing data loss.
Detection Methods for CVE-2026-34733
Indicators of Compromise
- HTTP access logs showing requests to /install/deleteSystemdPrivate.php
- Unexpected file deletions in the server's temporary directory
- Web server access logs from external IP addresses targeting installation scripts
- Evidence of directory enumeration in application logs
Detection Strategies
- Monitor web server access logs for requests targeting the /install/ directory, particularly deleteSystemdPrivate.php
- Implement intrusion detection rules to alert on HTTP requests to AVideo installation scripts
- Deploy file integrity monitoring on server temporary directories to detect unauthorized deletions
- Analyze application logs for unusual response patterns containing directory listings
Monitoring Recommendations
- Configure SIEM alerts for any HTTP traffic to AVideo installation endpoints from non-administrative networks
- Implement real-time monitoring of file system changes in temporary directories
- Enable verbose logging on the AVideo installation to capture all access attempts
- Review and baseline normal installation script access patterns to detect anomalies
How to Mitigate CVE-2026-34733
Immediate Actions Required
- Remove or restrict access to the install/ directory immediately if the installation is complete
- Configure web server rules to block HTTP access to install/deleteSystemdPrivate.php
- Review server logs to determine if the vulnerability has been exploited
- Implement network-level access controls to restrict access to administrative endpoints
Patch Information
At the time of publication, there are no publicly available patches for this vulnerability. Organizations should monitor the WWBN AVideo GitHub Security Advisory for updates on official remediation.
Workarounds
- Delete or rename the install/deleteSystemdPrivate.php script if it is no longer needed after installation
- Add web server configuration rules to deny HTTP access to the entire install/ directory
- Implement application-level access controls or web application firewall rules to block requests to vulnerable endpoints
- Consider moving installation scripts outside of the web-accessible directory structure
# Apache configuration to block access to install directory
<Directory "/path/to/avideo/install">
Require all denied
</Directory>
# Nginx configuration to block access to install directory
location /install {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
