CVE-2026-26227 is a vulnerability classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts) affecting the Remote Access Server feature of VideoLAN VLC for Android prior to version 3.7.0. The Remote Access Server uses a 4-digit one-time password (OTP) for authentication. However, the implementation lacks effective rate limiting or lockout mechanisms during the OTP validity window, allowing an attacker with network reachability to perform brute-force attacks against the OTP verification endpoint. Because the OTP is only 4 digits, the total possible combinations are 10,000, which is feasible to brute force rapidly without throttling. Successful exploitation results in the issuance of a valid user_session cookie, granting unauthorized access to the Remote Access interface. This interface allows access only to media files explicitly shared by the VLC user, limiting the scope of data exposure. The vulnerability does not require any privileges or user interaction, increasing its exploitability. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and low confidentiality impact. No known exploits have been reported in the wild as of the publication date. The vulnerability was publicly disclosed on February 26, 2026, and no official patch links were provided in the source data, but upgrading VLC for Android to version 3.7.0 or later is recommended. This vulnerability highlights the importance of implementing proper rate limiting and lockout policies on authentication mechanisms, especially when using short OTPs.

The primary impact of this vulnerability is unauthorized access to the Remote Access interface of VLC for Android, potentially exposing media files that the user has explicitly shared. While the scope of data exposure is limited to shared media, unauthorized access could lead to privacy violations, unauthorized media distribution, or leakage of sensitive content. For organizations, especially those using VLC for Android in enterprise or shared environments, this could result in data confidentiality breaches and reputational damage. The ease of exploitation due to lack of throttling and the short OTP length increases risk. However, the impact on system integrity and availability is minimal, as the vulnerability does not allow code execution or denial of service. The medium CVSS score reflects moderate risk, but the actual impact depends on how widely the Remote Access feature is used and the sensitivity of shared media. Since no known exploits are currently in the wild, the threat is primarily theoretical but should be addressed promptly to prevent future abuse.

1. Upgrade VLC for Android to version 3.7.0 or later, where this vulnerability is fixed with proper rate limiting on OTP verification. 2. Disable the Remote Access Server feature if it is not required, to eliminate the attack surface. 3. If Remote Access must be used, restrict network access to the Remote Access Server using firewall rules or VPNs to limit exposure to trusted networks only. 4. Monitor network logs and application logs for repeated OTP verification attempts or unusual authentication patterns indicative of brute-force attacks. 5. Encourage users to avoid sharing sensitive or private media files via the Remote Access feature. 6. Implement additional application-layer protections such as CAPTCHA or progressive delays on failed OTP attempts if possible. 7. Educate users about the risks of enabling Remote Access and the importance of updating the application regularly. 8. For organizations deploying VLC for Android at scale, consider endpoint security solutions that can detect anomalous access patterns or unauthorized session creations.