CVE Catalog

CVE-2026-57946

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Summary

A broken access control vulnerability in Invidious before version 2.20260626.0 allows unauthenticated attackers to retrieve private playlist contents via the RSS feed playlist endpoint. Attackers can supply a playlist ID to obtain the full playlist contents, owner email address, and associated video entries without authentication.

Risk Assessment

The risk involves exposure of sensitive user data, including email addresses and private playlist contents, potentially leading to privacy breaches and social engineering attacks.

Recommendation

Immediately upgrade Invidious to version 2.20260626.0 or later, which includes a fix for the access control flaw.

Original NVD description (English source)

Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain the full playlist contents, owner email address, and associated video entries without any authentication.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS