{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26227", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-11T20:08:07.946Z", "datePublished": "2026-02-26T17:37:19.896Z", "dateUpdated": "2026-03-05T01:31:01.159Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "vlc-android", "product": "VLC for Android", "repo": "https://github.com/videolan/vlc-android", "vendor": "VideoLAN", "versions": [{"lessThan": "3.7.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:videolan:vlc:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.7.0"}]}]}], "credits": [{"lang": "en", "type": "finder", "value": "XavLimSG"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user."}], "value": "VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 6.3, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-05T01:31:01.159Z"}, "references": [{"tags": ["product"], "url": "https://www.videolan.org/vlc/download-android.html"}, {"tags": ["patch"], "url": "https://https://github.com/videolan/vlc-android/releases/tag/3.7.0"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/vlc-for-android-remote-access-otp-authentication-bypass"}], "source": {"discovery": "EXTERNAL"}, "title": "VLC for Android < 3.7.0 Remote Access OTP Authentication Bypass", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T16:19:46.254546Z", "id": "CVE-2026-26227", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:19:56.230Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26227", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T16:19:46.254546Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T18:33:10.440Z"}}], "cna": {"title": "VLC for Android < 3.7.0 Remote Access OTP Authentication Bypass", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "XavLimSG"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/videolan/vlc-android", "vendor": "VideoLAN", "product": "VLC for Android", "versions": [{"status": "affected", "version": "0", "lessThan": "3.7.0", "versionType": "semver"}], "packageName": "vlc-android", "defaultStatus": "unaffected"}], "references": [{"url": "https://www.videolan.org/vlc/download-android.html", "tags": ["product"]}, {"url": "https://https://github.com/videolan/vlc-android/releases/tag/3.7.0", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/vlc-for-android-remote-access-otp-authentication-bypass", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user.", "supportingMedia": [{"type": "text/html", "value": "VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:videolan:vlc:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.7.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-05T01:31:01.159Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26227", "state": "PUBLISHED", "dateUpdated": "2026-03-05T01:31:01.159Z", "dateReserved": "2026-02-11T20:08:07.946Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-26T17:37:19.896Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user."}, {"lang": "es", "value": "VideoLAN VLC para Android anterior a la versi\u00f3n 3.7.0 contiene una omisi\u00f3n de autenticaci\u00f3n en la caracter\u00edstica del servidor de acceso remoto debido a la falta o insuficiencia de limitaci\u00f3n de velocidad en la verificaci\u00f3n de contrase\u00f1a de un solo uso (OTP). El servidor de acceso remoto utiliza una OTP de 4 d\u00edgitos y no aplica una limitaci\u00f3n o bloqueo efectivo dentro de la ventana de validez de la OTP, permitiendo a un atacante con accesibilidad de red al servidor intentar repetidamente la verificaci\u00f3n de la OTP hasta que se emita una cookie de user_session v\u00e1lida. La explotaci\u00f3n exitosa resulta en acceso no autorizado a la interfaz de acceso remoto, limitado a los archivos multimedia compartidos expl\u00edcitamente por el usuario de VLC para Android."}], "id": "CVE-2026-26227", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-26T18:23:07.190", "references": [{"source": "disclosure@vulncheck.com", "url": "https://https://github.com/videolan/vlc-android/releases/tag/3.7.0"}, {"source": "disclosure@vulncheck.com", "url": "https://www.videolan.org/vlc/download-android.html"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/vlc-for-android-remote-access-otp-authentication-bypass"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.7.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "vlc_for_android", "vendor": "videolan"}], "analysis": {"en": {"generated_at": "2026-04-16T16:06:11.838116+00:00", "value": {"mitigation_remediation": ["Upgrade VLC for Android to version 3.7.0 or later to eliminate the authentication bypass flaw.", "If an update is not immediately possible, disable the Remote Access Server feature within VLC to prevent external OTP attempts.", "Restrict network access to the VLC Remote Access port using firewalls or network segmentation to limit the attack surface."], "summary": {"action": "Patch Now", "impact": "Unauthorized Remote Access"}, "threat_synthesis": {"affected_systems": "VideoLAN VLC for Android versions earlier than 3.7.0 are affected. The exact version range is all releases before 3.7.0, as the issue is documented only for those older builds. ", "description_and_impact": "VideoLAN VLC for Android versions before 3.7.0 have a flaw in the Remote Access Server that allows an attacker to bypass one\u2011time password authentication. The server accepts a 4\u2011digit OTP but does not enforce rate limiting or lockout, letting an attacker repeatedly try OTP values until a valid user_session cookie is issued. Successful exploitation grants the attacker unauthorized access to the Remote Access interface, exposing only those media files the VLC user has explicitly shared. This flaw is an authentication bypass (CWE\u2011307), leading to confidential data exposure and potential further attacks on the device. ", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.3, indicating moderate to high severity. The EPSS score is below 1\u202f%, implying that exploitation is considered unlikely at this time, and the issue is not listed in the CISA KEV catalog. However, because the attack vector relies on network reachability to the VLC Remote Access Server, any publicly exposed or poorly secured instance could be targeted. Once an OTP brute\u2011force succeeds, the attacker gains an authenticated session for all shared media without additional privileges. "}}}}, "created": "2026-02-27T09:07:16.381162+00:00", "updated": "2026-04-16T16:15:08.464432+00:00", "vendors": ["videolan", "videolan$PRODUCT$vlc_for_android"]}