CVE-2026-26228 is a path traversal vulnerability identified in VideoLAN VLC for Android prior to version 3.7.0. The flaw exists in the Remote Access Server component, specifically in the handling of the authenticated GET /download endpoint. The 'file' query parameter is concatenated directly into a filesystem path under the configured download directory without proper canonicalization or directory containment checks. This improper limitation of pathname (CWE-22) allows an authenticated attacker with network reachability to the Remote Access Server to craft requests that traverse directories and access files outside the intended download directory. Due to Android's application sandboxing and storage permission model, the attacker’s access is generally confined to files within the app’s internal storage or app-specific external storage, limiting the scope of data exposure. The vulnerability requires the attacker to have valid authentication credentials and network access to the Remote Access Server, reducing the ease of exploitation. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, partial authentication, no user interaction, and low impact on confidentiality, integrity, and availability. No public exploits or active exploitation have been reported. The vulnerability is addressed in VLC for Android version 3.7.0 and later, where proper path canonicalization and directory containment checks are implemented to prevent unauthorized file access.

The primary impact of CVE-2026-26228 is unauthorized disclosure of files stored within the VLC for Android app’s internal or app-specific external storage. While this does not allow access to the broader Android filesystem or other apps’ data due to sandboxing, sensitive user data or cached media files stored by VLC could be exposed. This may lead to privacy violations or leakage of personal media content. The requirement for authentication and network access to the Remote Access Server limits the attack surface to users who have valid credentials and network connectivity, such as local network users or attackers who have compromised credentials. The vulnerability does not allow code execution or system compromise, and does not affect system integrity or availability. However, in environments where VLC is used to handle sensitive media or documents, this exposure could be significant. Organizations relying on VLC for Android in enterprise or sensitive contexts should consider the risk of data leakage. The low CVSS score reflects the limited scope and impact, but the vulnerability still represents a privacy risk that should be remediated.

1. Upgrade VLC for Android to version 3.7.0 or later, where this vulnerability is fixed with proper path canonicalization and directory containment checks. 2. If upgrading is not immediately possible, disable the Remote Access Server feature within VLC for Android to eliminate network exposure of the vulnerable endpoint. 3. Enforce strong authentication mechanisms and limit network access to the Remote Access Server to trusted networks only, reducing the risk of unauthorized access. 4. Monitor access logs for unusual or unauthorized file download requests that may indicate exploitation attempts. 5. Educate users about the risks of enabling remote access features and encourage use of secure network environments. 6. For organizations deploying VLC in managed environments, consider application sandboxing policies or mobile device management (MDM) controls to restrict app permissions and network access. 7. Regularly audit app versions and patch levels to ensure vulnerabilities are promptly addressed.