Description
Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain the full playlist contents, owner email address, and associated video entries without any authentication.
Problem types
Product status
Any version before 2.20260626.0
Credits
George Chen
References
github.com/iv-org/invidious/issues/5775
github.com/iv-org/invidious/releases/tag/v2.20260626.0 (Release Notes)
github.com/iv-org/invidious/issues/5775 (Researcher Disclosure)
github.com/iv-org/invidious/pull/5776 (Pull Request)
github.com/...ommit/c435dc1204970bcca06bcdcfb116c22092be22fd (Patch Commit)
www.vulncheck.com/...e-via-unauthenticated-rss-feed-endpoint