Description
Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.
Published: 2026-06-30
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a broken object‑level authorization flaw that allows an authenticated user to delete videos from another user’s playlist. By providing an arbitrary global video index to the playlist endpoint’s remove_video action, an attacker can permanently remove entries from playlists they do not own. The impact is loss of content available to the playlist owner and potential disruption of user experience, with no direct data disclosure or code execution. The weakness is classified as an authorization bypass (CWE‑639).

Affected Systems

The affected product is Invidious for the iv‑org vendor, versions up to and including 2.20260626.0. The patch addressing the issue was introduced in commit 77ad416. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog. The exploitation requires a valid user account; attackers can obtain the necessary video indices from the public playlist JSON API and submit them directly to the deletion endpoint. No additional prerequisites are noted, so an authenticated user can readily exploit the missing ownership check. The attack would result in unilateral removal of media from other users’ playlists.

Generated by OpenCVE AI on June 30, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Invidious to a version that includes commit 77ad416 or later to restore proper ownership checks.
  • Reconfigure or modify the remove_video API endpoint to enforce that the caller owns the playlist entry being deleted, effectively re‑implementing ownership validation.
  • Deploy application or network monitoring to detect unexpected POST requests to the remove_video endpoint and audit playlist contents for unauthorized deletions.

Generated by OpenCVE AI on June 30, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.
Title Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check
First Time appeared Iv Org
Iv Org invidious
Weaknesses CWE-639
CPEs cpe:2.3:a:iv_org:invidious:*:*:*:*:*:*:*:*
Vendors & Products Iv Org
Iv Org invidious
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Iv Org Invidious
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T21:05:53.535Z

Reserved: 2026-06-30T19:09:07.025Z

Link: CVE-2026-58447

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T22:30:06Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key