CVE-2026-26227 is a vulnerability identified in the Remote Access Server feature of VideoLAN VLC for Android versions before 3.7.0. The Remote Access Server uses a 4-digit one-time password (OTP) mechanism to authenticate users remotely. However, the implementation lacks effective rate limiting or lockout mechanisms during the OTP verification process within the OTP validity window. This absence of throttling allows an attacker with network reachability to the device to perform repeated OTP verification attempts without restriction, effectively enabling brute-force attacks against the 4-digit OTP. Since the OTP space is limited to 10,000 combinations, an attacker can systematically try all possibilities until a valid OTP is found, resulting in issuance of a valid user_session cookie. This cookie grants unauthorized access to the Remote Access interface, which exposes only media files explicitly shared by the VLC for Android user. The vulnerability does not require prior authentication or user interaction, and the attack surface is limited to devices with Remote Access enabled and reachable over the network. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial confidentiality impact (VC:L). No known exploits have been reported in the wild as of the publication date. The vulnerability is categorized under CWE-307, which concerns improper restriction of excessive authentication attempts, a common issue that can lead to brute-force attacks.

The primary impact of CVE-2026-26227 is unauthorized disclosure of media files shared through the VLC for Android Remote Access feature. Attackers gaining access can browse and potentially download media content without user consent, violating confidentiality. While the scope is limited to shared media files and does not extend to full device compromise or system integrity, the breach of private media can have privacy and reputational consequences for individuals and organizations. For organizations using VLC for Android in environments where sensitive media is shared remotely, this vulnerability could lead to data leakage. The ease of exploitation is relatively high due to the small OTP space and lack of throttling, requiring only network access to the device. However, the attack is constrained by the necessity of network reachability and the limited exposure of shared files. There is no impact on availability or integrity of the device or application. The medium severity rating reflects these factors, balancing the moderate confidentiality impact against the limited attack surface and absence of privilege escalation.

To mitigate CVE-2026-26227, organizations and users should upgrade VLC for Android to version 3.7.0 or later, where the vulnerability has been addressed by implementing proper rate limiting and lockout mechanisms on OTP verification attempts. If immediate upgrade is not feasible, users should consider disabling the Remote Access Server feature to eliminate the attack vector. Network-level controls such as firewall rules restricting access to the device’s Remote Access port to trusted IP addresses can reduce exposure. Monitoring network traffic for repeated OTP verification attempts may help detect brute-force activity. Additionally, increasing the complexity or length of the OTP, if configurable, would reduce the feasibility of brute-force attacks. Users should also ensure that shared media files are limited to non-sensitive content and review sharing permissions regularly. Finally, applying device-level security best practices, including strong device authentication and network segmentation, can further reduce risk.