Home

Description

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.

PUBLISHED Reserved 2026-06-30 | Published 2026-06-30 | Updated 2026-07-14 | Assigner VulnCheck




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

Authorization Bypass Through User-Controlled Key

Product status

Default status
unaffected

Any version
affected

77ad41678b45c4f6815940123f1796fc51259f45 (git)
unaffected

Credits

George Chen finder

References

github.com/iv-org/invidious/issues/5777 exploit

github.com/iv-org/invidious/issues/5777 (Researcher Disclosure) technical-description exploit

github.com/iv-org/invidious/pull/5790 (Fix PR) issue-tracking

github.com/...ommit/77ad41678b45c4f6815940123f1796fc51259f45 (Fix Commit) patch

www.vulncheck.com/...eo-deletion-via-missing-ownership-check third-party-advisory

cve.org (CVE-2026-58447)

nvd.nist.gov (CVE-2026-58447)

Download JSON