Broken Object Level Authorization in Invidious Affects User Playlists
CVE-2026-58447

7.1HIGH

Key Information:

Vendor: Iv-org
Status: Invidious
Vendor: CVE Published:; 30 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-58447?

Invidious versions up to 2.20260626.0 are susceptible to a broken object level authorization vulnerability, enabling authenticated attackers to delete videos from any user's playlists by manipulating global video indices in the remove_video action of the playlist endpoint. This vulnerability lacks ownership validation, allowing attackers to leverage the public playlist JSON API to gain access to per-video index values and use them to delete videos from playlists they do not own, resulting in unauthorized deletion of user content.

Affected Version(s)

Invidious 0 <= 2.20260626.0

Invidious 77ad41678b45c4f6815940123f1796fc51259f45

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-58447 - Proof of Concept

References

https://github.com/iv-org/invidious/issues/5777

technical-descriptionexploit

https://github.com/iv-org/invidious/pull/5790

issue-tracking

https://github.com/iv-org/invidious/commit/77ad41678b45c4...

patch

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 30, 2026
👾
Exploit known to exist
Jun 30, 2026
Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 30, 2026

Credit

George Chen

CVE-2026-58447 Data

JSON

Iv-org

Badges

What is CVE-2026-58447?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit