CVE-2026-58447
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| iv-org | Invidious | 0 <= 2.20260626.0 | affected |
| iv-org | Invidious | 77ad41678b45c4f6815940123f1796fc51259f45 | unaffected |
Weaknesses
- CWE-639: Authorization Bypass Through User-Controlled Key
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://github.com/iv-org/invidious/issues/5777
- https://github.com/iv-org/invidious/pull/5790
- https://github.com/iv-org/invidious/commit/77ad41678b45c4f6815940123f1796fc51259f45
- https://www.vulncheck.com/advisories/invidious-cross-user-playlist-video-deletion-via-missing-ownership-check
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.