CVE-2026-50019 - Vulnerability Details

- yt-dlp: File Downloader cookie leak with curl

Description

yt-dlp is a command-line audio/video downloader. From 2023.09.24 until 2026.06.09, if curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. At the file download stage, the cookies are passed by yt-dlp to the file downloader via --cookie. However, unless these are loaded from a file, this operation does not activate the cookie engine. As a result, curl will send cookies with requests to domains or paths for which the cookies are not scoped. This vulnerability is fixed in 2026.06.09.

Published: 2026-06-23

Score: 6.1 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw occurs when yt‑dlp invokes curl as an external downloader. yt‑dlp passes user cookies via the --cookie option, but curl only activates its cookie engine if the cookies are read from a file. Because yt‑dlp supplies the cookies directly, curl sends them with every request, regardless of target domain or path. Cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest. This results in the disclosure of session cookies to unintended or malicious domains. The fix was released in version 2026.06.09.

Affected Systems

yt‑dlp command‑line downloader from release 2023.09.24 until 2026.06.09 includes the fix that properly scopes cookies when using curl. No other vendors are affected.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score is not available, so the likelihood of exploitation is unknown, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker would need access to a user’s environment or could supply a malicious download manifest that forces curl to send requests to a malicious host, resulting in cookie leakage. The risk is limited to confidentiality through unintended cookie leakage, and no integrity or availability impact is noted. Updating to a fixed version is the recommended mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

yt-dlp

affected

Version	Status	Constraints
`>= 2023.09.24, < 2026.06.09`	affected	—

No data.

Vendor Product Confidence Versions

Yt-dlp

100%

Version	Status	Scheme	Platform
`[2023.09.24,2026.06.09)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade yt‑dlp to version 2026.06.09 or newer to address the CWE‑200 information disclosure flaw and apply the cookie‑scoping fix.
If an upgrade is not yet possible, avoid using curl as an external downloader when cookies are supplied; switch to yt‑dlp’s built‑in downloader or another downloader that correctly scopes cookies.
Regularly review yt‑dlp release notes and security advisories to stay informed of further fixes.

Generated by OpenCVE AI on June 24, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-f7j3-774f-rfhj	yt-dlp: File Downloader cookie leak with curl

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-f7j3-774f-rfhj

History

Tue, 23 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Yt-dlp Yt-dlp yt-dlp
Vendors & Products		Yt-dlp Yt-dlp yt-dlp

Tue, 23 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 23 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		yt-dlp is a command-line audio/video downloader. From 2023.09.24 until 2026.06.09, if curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. At the file download stage, the cookies are passed by yt-dlp to the file downloader via --cookie. However, unless these are loaded from a file, this operation does not activate the cookie engine. As a result, curl will send cookies with requests to domains or paths for which the cookies are not scoped. This vulnerability is fixed in 2026.06.09.
Title		yt-dlp: File Downloader cookie leak with curl
Weaknesses		CWE-200
References		https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-f7j3-774f-rfhj
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N'}`

Subscriptions

Yt-dlp Yt-dlp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-23T16:13:26.676Z

Updated: 2026-06-23T17:57:20.992Z

Reserved: 2026-06-02T22:46:02.579Z

Link: CVE-2026-50019

Vulnrichment

Updated: 2026-06-23T17:57:17.821Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T12:00:05Z

Weaknesses

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object