Description
Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain the full playlist contents, owner email address, and associated video entries without any authentication.
Published: 2026-06-29
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a broken access control flaw in Invidious before release 2.20260626.0 that permits anyone to query the RSS feed endpoint for any playlist ID without authentication. An attacker can retrieve the entire playlist, including the owner’s email address and all video entries. The flaw is classified as CWE‑862, indicating that the application fails to enforce authentication before exposing sensitive data, which can lead to privacy breaches.

Affected Systems

Invidious installations by iv‑org running any release older than 2.20260626.0 are vulnerable. The flaw affects the RSS feed playlist endpoint that is publicly accessible to unauthenticated users.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers need only knowledge of a playlist ID, which may be guessed or discovered, and can then retrieve private playlist data through the public endpoint. While no remote code execution is possible, the exposure of personal information poses a significant privacy risk.

Generated by OpenCVE AI on June 29, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Invidious to version 2.20260626.0 or later to address the broken access control fault.
  • If an upgrade cannot be applied immediately, restrict access to the RSS feed playlist endpoint so that only authenticated users can reach it, such as by adding authentication checks or firewall rules.
  • If the endpoint is not required, consider disabling it entirely or monitoring for unauthorized playlist requests to detect potential misuse.

Generated by OpenCVE AI on June 29, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain the full playlist contents, owner email address, and associated video entries without any authentication.
Title Invidious - Private Playlist Disclosure via Unauthenticated RSS Feed Endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T18:20:36.061Z

Reserved: 2026-06-26T13:57:16.356Z

Link: CVE-2026-57946

cve-icon Vulnrichment

Updated: 2026-06-29T18:19:57.963Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T19:30:02Z

Weaknesses