PT-2026-53996 · Invidious · Invidious
George Chen
·
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-58447
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Invidious versions prior to 2.20260626.0
Description
An issue exists where authenticated attackers can delete videos from playlists belonging to other users. This occurs because the system fails to validate ownership when a request is made to the playlist endpoint using the
remove video action. Attackers can retrieve global video index values via the public playlist JSON API and provide an arbitrary index to the deletion endpoint to permanently remove content from playlists they do not own. This is a broken object level authorization issue, which happens when an application does not properly verify if the user has permission to access or modify a specific object.Recommendations
Update to the version containing commit 77ad416.
Restrict access to the
remove video action in the playlist endpoint to minimize the risk of unauthorized deletions.Exploit
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Invidious