CVE-2026-26227

LOW

VLC for Android <3.7.0 - Auth Bypass

Title source: llm

Description

VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user.

References (3)

[Various Sources] https://www.videolan.org/vlc/download-android.html

[Release Notes] https://https://github.com/videolan/vlc-android/releases/tag/3.7.0

[Third Party Advisory] https://www.vulncheck.com/advisories/vlc-for-android-remote-access-otp-authentication-bypass

Scores

CVSS v3 3.7

EPSS 0.0008

EPSS Percentile 23.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-307

Status published

Products (1)

VideoLAN/VLC for Android < 3.7.0

Published Feb 26, 2026

Tracked Since Feb 27, 2026