CVE-2026-26228 is a path traversal vulnerability identified in the Remote Access Server feature of VideoLAN VLC for Android prior to version 3.7.0. The vulnerability exists in the handling of the GET /download endpoint, where the file query parameter is concatenated directly into a filesystem path under the configured download directory without proper canonicalization or directory containment validation. This flaw allows an authenticated attacker with network access to the Remote Access Server to craft requests that traverse directories and access files outside the intended download directory. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path). The impact is constrained by Android's application sandboxing and storage model, which typically restricts file access to the app's internal storage and app-specific external storage areas. Therefore, while an attacker can access files outside the designated download directory, they remain confined within the app's storage boundaries, limiting the scope of sensitive data exposure. The vulnerability requires authentication, does not require user interaction, and can be exploited remotely over the network. The CVSS v4.0 base score is 2.3, indicating low severity due to limited impact and the need for authentication. No public exploits are known at this time. The issue was published on February 26, 2026, and affects all versions prior to 3.7.0. No official patch links were provided in the source data, but upgrading VLC for Android to version 3.7.0 or later is the recommended remediation.

The primary impact of CVE-2026-26228 is unauthorized access to files outside the intended download directory within the VLC for Android app's storage sandbox. This could allow an attacker to read sensitive files stored by the app, potentially exposing user data or configuration files. However, the impact is limited by Android's sandboxing, preventing access to files outside the app's storage area, thus reducing risk to the broader device filesystem or other apps' data. The requirement for authentication and network access further limits exploitation to scenarios where an attacker has valid credentials and network reachability to the Remote Access Server. Organizations deploying VLC for Android with remote access enabled could face confidentiality risks if sensitive files are stored within the app's accessible directories. While the vulnerability does not allow code execution or privilege escalation, unauthorized file disclosure could aid attackers in reconnaissance or further attacks. The low CVSS score reflects the limited scope and impact, but the vulnerability still represents a privacy and data exposure risk for affected users and organizations.

To mitigate CVE-2026-26228, organizations and users should upgrade VLC for Android to version 3.7.0 or later, where the vulnerability has been addressed. If upgrading immediately is not possible, consider disabling the Remote Access Server feature to eliminate network exposure. Additionally, restrict network access to the Remote Access Server using firewall rules or VPNs to limit attacker reachability. Implement strong authentication mechanisms and monitor authentication logs for suspicious access attempts. Developers should ensure proper canonicalization and directory traversal checks are implemented when handling file paths, validating that requested files reside strictly within the intended directory. Regularly audit app storage for sensitive files and avoid storing critical data in app-specific directories accessible via the Remote Access Server. Employ application-level logging and alerting to detect anomalous file access patterns. Finally, maintain up-to-date software inventories and vulnerability management processes to promptly address such issues.