Skip to main content

Invidious EUVDEUVD-2026-40415

| CVE-2026-58447 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-30 VulnCheck GHSA-85cg-fg77-rrm5
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Remote, low-complexity action needs an authenticated user (PR:L) and no interaction; impact is unauthorized deletion of others' data (I:H) with no confidentiality or availability loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 30, 2026 - 22:31 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 30, 2026 - 22:31 vuln.today
Analysis Updated
Jun 30, 2026 - 22:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 22:22 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 22:22 NVD
MEDIUM HIGH
CVSS changed
Jun 30, 2026 - 22:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Jun 30, 2026 - 22:00 vuln.today

DescriptionCVE.org

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.

AnalysisAI

Cross-user data tampering in Invidious through 2.20260626.0 lets any authenticated user permanently delete videos from playlists they do not own by submitting an arbitrary global video index to the playlist endpoint's remove_video action. The flaw is a broken object level authorization (BOLA) issue where per-video index values are harvested from the public playlist JSON API and replayed without an ownership check. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register/authenticate on instance
Delivery
Query public playlist JSON API
Exploit
Harvest victim video index values
Execution
Submit remove_video with arbitrary index
Persist
Ownership check missing, deletion succeeds
Impact
Victim playlist videos permanently removed

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated (low-privileged, PR:L) account on the target Invidious instance and that the victim's playlist be reachable via the public playlist JSON API so the attacker can obtain the per-video global index values used by the remove_video action of the playlist endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a real, easily exploitable but limited-impact issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a normal account on a shared Invidious instance, queries the public playlist JSON API for a victim's playlist to read the per-video global index values, then sends remove_video requests to the playlist endpoint supplying those indices. Because no ownership check is performed, the videos are permanently removed from the victim's playlist; publicly available exploit code demonstrates this end to end.
Remediation Upgrade to a build that includes the upstream fix commit 77ad41678b45c4f6815940123f1796fc51259f45 (merged via PR https://github.com/iv-org/invidious/pull/5790), which adds the missing ownership validation to the playlist remove_video action; no tagged release version is cited in the input, so operators running from source should pull and rebuild at or after that commit. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Invidious and document current versions; check audit logs for suspicious playlist deletions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40415 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy