Authentication Bypass in VideoLAN VLC for Android
CVE-2026-26227

6.3MEDIUM

Key Information:

Vendor

Videolan
Status
Vlc For Android
Vendor
CVE Published:
26 February 2026

What is CVE-2026-26227?

VLC for Android versions prior to 3.7.0 are susceptible to an authentication bypass within the Remote Access Server feature. The vulnerability arises from insufficient rate limiting on the one-time password (OTP) verification process. This flaw allows attackers with network access to the server to exploit the Remote Access Server by repeatedly attempting OTP verification, ultimately gaining unauthorized access to the Remote Access interface. This access grants the ability to browse and access media files shared explicitly by users of VLC for Android.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

VLC for Android 0 < 3.7.0

References

https://www.videolan.org/vlc/download-android.html
product
https://https://github.com/videolan/vlc-android/releases/...
patch
https://www.vulncheck.com/advisories/vlc-for-android-remo...
third-party-advisory

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

XavLimSG
JSON
.