Authentication Bypass in VideoLAN VLC for Android
CVE-2026-26227

6.3MEDIUM

Key Information:

Vendor: Videolan
Status: Vlc For Android
Vendor: CVE Published:; 26 February 2026

What is CVE-2026-26227?

VLC for Android versions prior to 3.7.0 are susceptible to an authentication bypass within the Remote Access Server feature. The vulnerability arises from insufficient rate limiting on the one-time password (OTP) verification process. This flaw allows attackers with network access to the server to exploit the Remote Access Server by repeatedly attempting OTP verification, ultimately gaining unauthorized access to the Remote Access interface. This access grants the ability to browse and access media files shared explicitly by users of VLC for Android.

Affected Version(s)

VLC for Android 0 < 3.7.0

References

https://www.videolan.org/vlc/download-android.html

product

https://https://github.com/videolan/vlc-android/releases/...

patch

https://www.vulncheck.com/advisories/vlc-for-android-remo...

third-party-advisory

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Feb 11, 2026

Credit

XavLimSG

CVE-2026-26227 Data

JSON

Videolan

What is CVE-2026-26227?

Affected Version(s)

References

CVSS V4

Timeline

Credit