CVE-2026-26227
Authentication Bypass in VLC Android Remote Access via OTP Brute-Force
Publication date: 2026-02-26
Last updated on: 2026-02-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| videolan | vlc_for_android | to 3.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26227 is a vulnerability in VLC for Android versions prior to 3.7.0 that affects the Remote Access Server feature. It involves an authentication bypass due to missing or insufficient rate limiting on the one-time password (OTP) verification process.
The Remote Access Server uses a 4-digit OTP but does not enforce effective throttling or lockout within the OTP validity window. This allows an attacker with network access to repeatedly attempt OTP guesses until a valid user_session cookie is obtained.
Successful exploitation results in unauthorized access to the Remote Access interface, but this access is limited to media files explicitly shared by the VLC for Android user.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with network access to the VLC for Android Remote Access Server to bypass authentication by guessing the 4-digit OTP repeatedly without effective rate limiting.
As a result, the attacker can gain unauthorized access to the Remote Access interface and view media files that the VLC user has explicitly shared.
While the access is limited to shared media files, this unauthorized access could lead to privacy breaches or exposure of sensitive media content.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves an authentication bypass in the Remote Access Server feature of VLC for Android prior to version 3.7.0, caused by missing or insufficient rate limiting on the 4-digit OTP verification process.'}, {'type': 'paragraph', 'content': 'Detection would involve monitoring for repeated OTP verification attempts to the Remote Access Server, especially multiple rapid attempts from the same source IP, which indicate brute-force guessing of the 4-digit OTP.'}, {'type': 'paragraph', 'content': 'Network detection commands could include using tools like tcpdump or Wireshark to capture traffic to the VLC Remote Access Server port and filtering for repeated OTP verification requests.'}, {'type': 'list_item', 'content': 'tcpdump -i <interface> port <remote_access_port> -w capture.pcap'}, {'type': 'list_item', 'content': 'tshark -r capture.pcap -Y "http.request.method == \'POST\' && http contains \'otp\'"'}, {'type': 'paragraph', 'content': 'Additionally, reviewing VLC for Android logs (if accessible) for multiple failed OTP attempts or unusually high authentication attempts could help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade VLC for Android to version 3.7.0 or later, where this vulnerability has been addressed.
Until the upgrade can be applied, restrict network access to the Remote Access Server feature to trusted networks or hosts to reduce the risk of unauthorized OTP guessing attempts.
Consider disabling the Remote Access Server feature if it is not required.
Monitor for suspicious authentication attempts and implement network-level rate limiting or firewall rules to limit repeated OTP verification requests.