{"id":"CVE-2026-26227","summary":"VLC for Android \u003c 3.7.0 Remote Access OTP Authentication Bypass","details":"VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user.","modified":"2026-07-08T08:12:26.583528024Z","published":"2026-02-26T17:37:19.896Z","database_specific":{"cwe_ids":["CWE-307"],"cna_assigner":"VulnCheck","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26227.json"},"references":[{"type":"WEB","url":"https://www.videolan.org/vlc/download-android.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26227.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26227"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/vlc-for-android-remote-access-otp-authentication-bypass"},{"type":"FIX","url":"https://https://github.com/videolan/vlc-android/releases/tag/3.7.0"},{"type":"PACKAGE","url":"https://github.com/videolan/vlc-android"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/videolan/vlc-android","events":[{"introduced":"0"},{"fixed":"2e44dfbb4a5a8f4a282adea4270e97baaa481d23"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"3.7.0"}],"source":"AFFECTED_FIELD"}}],"versions":["remoteaccess-0.12.0","3.7.0","3.7.0-beta04","remoteaccess-0.11.0","3.7.0-beta03","3.7.0-beta02","libvlc-4.0.0-eap23","libvlc-3.6.5","libvlc-4.0.0-eap22","libvlc-3.6.4","remoteaccess-0.10.0","3.7.0-beta01","remoteaccess-0.9.0","libvlc-3.6.3","libvlc-4.0.0-eap21","remoteaccess-0.8.0","remoteaccess-0.7.0","3.6.5-1","3.6.5","3.6.4","3.6.4-beta05","remoteaccess-0.6.0","libvlc-4.0.0-eap20","libvlc-3.6.2","3.6.4-beta04","libvlc-4.0.0-eap19","libvlc-3.6.1","remoteaccess-0.5.0","remoteaccess-0.4.0","3.6.4-beta03","3.6.4-beta02","3.6.4-beta01","remoteaccess-0.3.0","3.6.3","libvlc-4.0.0-eap18","libvlc-3.6.0","remoteaccess-0.2.0","3.6.2","remoteaccess-0.1.3","3.6.1","3.6.0","remoteaccess-0.1.2","3.6.0-beta06","3.6.0-beta05","remoteaccess-0.1.1","libvlc-4.0.0-eap17","libvlc-3.6.0-eap14","3.6.0-beta04","libvlc-4.0.0-eap16","libvlc-3.6.0-eap13","3.6.0-beta03","3.6.0-beta02","3.6.0-beta01","libvlc-4.0.0-eap15","libvlc-3.6.0-eap12","libvlc-4.0.0-eap14","libvlc-3.6.0-eap11","libvlc-4.0.0-eap13","libvlc-3.6.0-eap10","libvlc-4.0.0-eap12","libvlc-3.6.0-eap9","libvlc-4.0.0-eap11","libvlc-3.6.0-eap8","libvlc-4.0.0-eap10","libvlc-3.6.0-eap7","libvlc-4.0.0-eap9","libvlc-3.6.0-eap6","libvlc-4.0.0-eap8","libvlc-3.6.0-eap5","libvlc-4.0.0-eap7","libvlc-3.6.0-eap4","libvlc-4.0.0-eap6","libvlc-3.6.0-eap3","libvlc-4.0.0-eap5","libvlc-3.6.0-eap2","libvlc-4.0.0-eap4","libvlc-3.6.0-eap1","libvlc-4.0.0-eap3","libvlc-4.0.0-eap2","3.5.2-beta01","libvlc-3.5.2-eap1","libvlc-3.5.1","3.5.1","3.5.1-beta01","libvlc-3.5.1-eap1","3.5.0","3.5.0-rc3","3.5.0-rc2","3.5.0-rc1","3.5.0-beta07","libvlc-3.5.0-eap8","3.5.0-beta06","libvlc-3.5.0-eap7","3.5.0-beta05","3.5.0-beta04","libvlc-3.5.0-eap6","3.5.0-beta03","libvlc-3.5.0-eap5","3.5.0-beta02","3.5.0-beta01","libvlc-3.5.0-eap4","libvlc-3.5.0-eap3","libvlc-3.5.0-eap2","libvlc-3.5.0-eap1","libvlc-3.4.8","libvlc-3.4.7","libvlc-3.4.6","3.4.3-beta02","3.4.3-beta01","libvlc-3.4.5","3.4.2","libvlc-3.4.4","3.4.1","3.4.1-beta03","libvlc-3.4.3","libvlc-3.4.2","3.4.1-beta02","3.4.1-beta01","libvlc-3.4.1","3.4.0","3.4.0-rc2","3.4.0-rc1","3.4.0-beta06","libvlc-3.4.0-eap9","3.4.0-beta05","libvlc-3.4.0-eap8","3.4.0-beta04","libvlc-3.4.0-eap7","3.4.0-beta03","3.4.0-beta02","3.4.0-beta01","3.3.4-beta02","3.3.4-beta01","libvlc-3.3.13","libvlc-3.3.12","3.3.3","3.3.3-beta04","libvlc-3.3.11","3.3.3-beta03","3.3.3-beta02","3.3.3-beta01","libvlc-3.3.9","libvlc-3.3.7","libvlc-3.3.6","3.3.1-beta02","libvlc-3.3.3","3.3.1-beta01","libvlc-3.3.2","libvlc-3.3.1","libvlc-3.3.0","3.3.0-RC4","3.2.92","libvlc-3.3.0-eap17","3.3.0-RC3","3.2.91","3.3.0-RC2","3.2.90","3.3.0-RC1","3.2.89","libvlc-3.3.0-eap16","3.2.88","3.3.0-beta07","3.2.87","libvlc-3.3.0-eap15","3.3.0-beta06","3.2.86","libvlc-3.3.0-eap14","libvlc-3.3.0-eap13","3.3.0-beta04","3.2.84","libvlc-3.3.0-eap12","3.3.0-beta03","3.2.83","libvlc-3.3.0-eap11","3.3.0-beta02","3.2.82","libvlc-3.3.0-eap10","3.2.81","3.3.0-beta01","libvlc-3.3.0-eap9","libvlc-3.3.0-eap8","libvlc-3.3.0-eap7","libvlc-3.3.0-eap6","libvlc-3.3.0-eap5","libvlc-eap4","3.0.99","3.0.98","3.0.97","3.0.96","3.0.95","3.0.94","3.0.93","3.0.92","3.0.1-1","3.0.0","2.9.1","2.9.0","2.5.7","2.5.5","2.5.4","2.5.3","2.5.2","2.5.1","2.5.0","2.1.20","2.1.19","2.1.18","2.1.17-1","2.1.17","2.1.16","2.1.15","2.1.14","2.1.13","2.1.12","2.1.11","2.1.10","2.1.9","2.1.8","2.1.7","2.1.6","2.1.5","2.1.4","2.1.3","2.1.2","2.1.1","2.1.0","2.0.0-RC1","1.9.13","1.9.12","1.9.11","1.9.10","1.9.9","1.9.8","1.9.7","1.9.6","1.9.5","1.9.4","1.9.3","1.9.2","1.9.1","1.9.0","1.7.0","1.6.5","1.6.4","1.6.3","1.6.2","1.6.1","1.6.0","1.5.90","1.5.2","1.5.1.1","1.5.1","1.5.0","1.4.99","1.4.1","1.4.0","1.3.2","1.3.1","1.3.0","1.2.6","1.2.5","1.2.4","1.2.3","1.2.2","1.2.1","1.2.0","1.1.6","1.1.5","1.1.4","1.1.3","1.1.2","1.1.1","1.1.0","0.9.9","0.9.8","0.9.7.1","0.9.7","0.9.6","0.9.5","0.9.4","0.9.3","0.9.2","0.9.1","0.9.0","0.1.2","0.1.1","0.1.0","0.0.11","0.0.10","0.0.9","0.0.8","0.0.7","0.0.6","0.0.5","0.0.4","0.0.3","0.0.2","0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26227.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}]}