CVE-2026-34733 is an improper access control vulnerability in the open-source WWBN AVideo platform, specifically affecting versions 26.0 and prior. The root cause is a PHP operator precedence error in the install/deleteSystemdPrivate.php script, which is designed to be executed only from the command line interface (CLI). The script contains a guard condition intended to prevent web-based access: '!php_sapi_name() === 'cli''. However, due to PHP's operator precedence rules, the logical NOT operator (!) binds more tightly than the strict equality operator (===), causing the expression to always evaluate to false. Consequently, the die() statement that should block non-CLI access never executes, allowing the script to be accessed via HTTP without authentication. When accessed remotely, the script deletes files from the server's temporary directory and returns the directory contents in the HTTP response, leading to information disclosure and partial denial of service. The vulnerability does not require authentication or user interaction and can be exploited remotely with low complexity. At the time of publication, no patches or official fixes have been released, and there are no known active exploits. This vulnerability is classified under CWE-284 (Improper Access Control) and has a CVSS v3.1 base score of 6.5, reflecting medium severity with network attack vector, no privileges required, and no user interaction needed.

The vulnerability impacts confidentiality by disclosing the contents of the server's temporary directory, potentially revealing sensitive information such as temporary files, credentials, or configuration data. It also impacts availability by deleting files in the temp directory, which may disrupt normal server operations or cause application instability. Although integrity is not directly affected, the deletion of files could indirectly lead to corrupted application states or data loss. The ease of exploitation (no authentication or user interaction required) and remote accessibility increase the risk of automated attacks or scanning by threat actors. Organizations running affected versions of AVideo may face service disruptions and data exposure, which could lead to reputational damage, compliance violations, and increased operational costs for remediation and recovery.

Since no official patches are available, organizations should implement immediate compensating controls. First, restrict HTTP access to the install/deleteSystemdPrivate.php script by configuring web server rules (e.g., using .htaccess, nginx location blocks, or firewall rules) to deny all external requests to this path. Second, audit and monitor server temporary directories for unexpected file deletions or access patterns indicative of exploitation attempts. Third, consider isolating the AVideo installation environment to limit the impact of potential exploitation, such as running the application in a container or sandbox with restricted permissions. Fourth, review and correct any similar operator precedence issues in custom or third-party PHP scripts to prevent analogous vulnerabilities. Finally, maintain vigilance for updates from WWBN and apply official patches promptly once available.