CVE-2026-26227: CWE-307 Improper Restriction of Excessive Authentication Attempts in VideoLAN VLC for Android
VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user.
AI Analysis
Technical Summary
CVE-2026-26227 describes an authentication bypass vulnerability in VideoLAN VLC for Android before version 3.7.0. The Remote Access Server uses a 4-digit OTP for authentication but lacks proper rate limiting or lockout mechanisms within the OTP validity window. This allows an attacker with network access to brute-force OTP verification attempts until a valid user_session cookie is obtained, bypassing authentication controls. The unauthorized access is restricted to media files shared by the VLC user via the Remote Access interface.
Potential Impact
An attacker can gain unauthorized access to the VLC for Android Remote Access interface by brute forcing the 4-digit OTP due to missing or insufficient rate limiting. This access is limited to media files explicitly shared by the user. There is no indication of privilege escalation beyond this interface or broader system compromise. The vulnerability has a medium severity impact with a CVSS score of 6.3.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid enabling the Remote Access Server feature or restrict network access to it to trusted networks only. Monitor for vendor updates regarding patches or official mitigations.
CVE-2026-26227: CWE-307 Improper Restriction of Excessive Authentication Attempts in VideoLAN VLC for Android
Description
VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user.
CVSS v4.0
Score 6.3medium
Affected software
pkg:github/videolan/vlc-androidRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-26227 describes an authentication bypass vulnerability in VideoLAN VLC for Android before version 3.7.0. The Remote Access Server uses a 4-digit OTP for authentication but lacks proper rate limiting or lockout mechanisms within the OTP validity window. This allows an attacker with network access to brute-force OTP verification attempts until a valid user_session cookie is obtained, bypassing authentication controls. The unauthorized access is restricted to media files shared by the VLC user via the Remote Access interface.
Potential Impact
An attacker can gain unauthorized access to the VLC for Android Remote Access interface by brute forcing the 4-digit OTP due to missing or insufficient rate limiting. This access is limited to media files explicitly shared by the user. There is no indication of privilege escalation beyond this interface or broader system compromise. The vulnerability has a medium severity impact with a CVSS score of 6.3.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid enabling the Remote Access Server feature or restrict network access to it to trusted networks only. Monitor for vendor updates regarding patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-02-11T20:08:07.946Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a0a1ca85912abc71d0bb59
Added to database: 02/26/2026, 19:40:58 UTC
Last enriched: 07/15/2026, 11:09:25 UTC
Last updated: 07/18/2026, 17:38:39 UTC
Views: 280
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.