CVE-2026-26227

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-26227
VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user.

3.7 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://https://github.com/videolan/vlc-android/releases/tag/3.7.0
https://www.videolan.org/vlc/download-android.html
https://www.vulncheck.com/advisories/vlc-for-android-remote-access-otp-authentication-bypass
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) VideoLAN VLC para Android anterior a la versión 3.7.0 contiene una omisión de autenticación en la característica del servidor de acceso remoto debido a la falta o insuficiencia de limitación de velocidad en la verificación de contraseña de un solo uso (OTP). El servidor de acceso remoto utiliza una OTP de 4 dígitos y no aplica una limitación o bloqueo efectivo dentro de la ventana de validez de la OTP, permitiendo a un atacante con accesibilidad de red al servidor intentar repetidamente la verificación de la OTP hasta que se emita una cookie de user_session válida. La explotación exitosa resulta en acceso no autorizado a la interfaz de acceso remoto, limitado a los archivos multimedia compartidos explícitamente por el usuario de VLC para Android.

27 Feb 2026, 19:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 3.7

26 Feb 2026, 19:32

Type Values Removed Values Added
Summary (en) VideoLAN VLC for Android prior to version 3.7.0 contain an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user. (en) VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user.

26 Feb 2026, 18:23

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-26 18:23

Updated : 2026-04-15 00:35

NVD link : CVE-2026-26227

Mitre link : CVE-2026-26227

CVE.ORG link : CVE-2026-26227

JSON object : View

Products Affected

No product.

CWE
CWE-307

Improper Restriction of Excessive Authentication Attempts