Skip to main content

Invidious CVE-2026-57946

| EUVDEUVD-2026-40163 MEDIUM
Missing Authorization (CWE-862)
2026-06-29 disclosure@vulncheck.com GHSA-vppr-73v3-3pc6
6.3
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

AV:N and PR:N because the endpoint is network-accessible with no authentication required; AC:H because exploitation depends on prior knowledge of a private playlist ID; C:L for limited data disclosure with no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 29, 2026 - 19:01 EUVD
Analysis Generated
Jun 29, 2026 - 18:38 vuln.today

DescriptionCVE.org

Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain the full playlist contents, owner email address, and associated video entries without any authentication.

AnalysisAI

Unauthenticated access to private playlist data in Invidious before v2.20260626.0 is possible via a broken authorization check on the RSS feed playlist endpoint. By supplying a known playlist ID to this endpoint, a remote attacker with no credentials can retrieve the full contents of a private playlist, the owner's email address, and all associated video entries. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-facing Invidious instance
Delivery
Obtain valid private playlist ID via disclosure or enumeration
Exploit
Send unauthenticated HTTP GET to RSS feed playlist endpoint
Execution
Receive private playlist contents and owner email address
Impact
Deanonymize playlist owner

Vulnerability AssessmentAI

Exploitation The attacker must possess or be able to discover a valid private playlist ID from the target Invidious instance; this is a non-trivial prerequisite and the basis for AC:H in the CVSS 4.0 vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 with vector AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N accurately characterizes the risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker learns a private playlist ID through a prior information disclosure (e.g., a shared link, a leaked URL, or social engineering of the playlist owner) and sends an unauthenticated HTTP GET request to the Invidious instance's RSS feed endpoint with that playlist ID. The server responds with the full playlist data - including all video entries and the owner's registered email address - without challenging for credentials. …
Remediation Upgrade Invidious to version 2.20260626.0 or later, which contains the authorization fix from pull request #5776. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57946 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy