VideoLAN VLC for Android versions before 3.7.0 have a flaw in the Remote Access Server that allows an attacker to bypass one‑time password authentication. The server accepts a 4‑digit OTP but does not enforce rate limiting or lockout, letting an attacker repeatedly try OTP values until a valid user_session cookie is issued. Successful exploitation grants the attacker unauthorized access to the Remote Access interface, exposing only those media files the VLC user has explicitly shared. This flaw is an authentication bypass (CWE‑307), leading to confidential data exposure and potential further attacks on the device.

VideoLAN VLC for Android versions earlier than 3.7.0 are affected. The exact version range is all releases before 3.7.0, as the issue is documented only for those older builds.

The vulnerability carries a CVSS score of 6.3, indicating moderate to high severity. The EPSS score is below 1 %, implying that exploitation is considered unlikely at this time, and the issue is not listed in the CISA KEV catalog. However, because the attack vector relies on network reachability to the VLC Remote Access Server, any publicly exposed or poorly secured instance could be targeted. Once an OTP brute‑force succeeds, the attacker gains an authenticated session for all shared media without additional privileges.