Broken Access Control in Invidious Affects User Privacy
CVE-2026-57946

6.3MEDIUM

Key Information:

Vendor

Iv-org

Status
Invidious
Vendor
CVE Published:
29 June 2026

What is CVE-2026-57946?

A vulnerability in Invidious versions prior to 2.20260626.0 allows unauthorized users to access private playlist contents via the RSS feed playlist endpoint. This flaw enables attackers to retrieve sensitive information, including the playlist's complete contents and the owner's email address, solely by supplying a playlist ID. The absence of required authentication presents significant risks, exposing users' private data without proper oversight or security.

Affected Version(s)

Invidious 0 < 2.20260626.0

References

https://github.com/iv-org/invidious/releases/tag/v2.20260...
release-notes
https://github.com/iv-org/invidious/issues/5775
issue-tracking
https://github.com/iv-org/invidious/pull/5776
issue-tracking

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.