CVE-2026-26227

Name of the Vulnerable Software and Affected Versions VideoLAN VLC for Android versions prior to 3.7.0

Description The Remote Access Server feature in VideoLAN VLC for Android has an authentication bypass due to inadequate rate limiting on one-time password (OTP) verification. The server utilizes a 4-digit OTP but lacks effective throttling or lockout mechanisms during the OTP validity period. An attacker with network access can repeatedly attempt OTP verification to obtain a valid user session cookie, leading to unauthorized access to the Remote Access interface. Access is limited to media files shared by the VLC for Android user through the interface. The affected API endpoint is not explicitly mentioned.

Recommendations Update VideoLAN VLC for Android to version 3.7.0 or later.