Description
VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user.
References (3)
Core 3
Core References
Various Sources product
https://www.videolan.org/vlc/download-android.html
Release Notes patch
https://https://github.com/videolan/vlc-android/releases/tag/3.7.0
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/vlc-for-android-remote-access-otp-authentication-bypass
Scores
CVSS v3
3.7
EPSS
0.0030
EPSS Percentile
21.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-307
Status
published
Products (1)
VideoLAN/VLC for Android
< 3.7.0
Published
Feb 26, 2026
Tracked Since
Feb 27, 2026