CVE-2026-26228
Path Traversal in VLC Android Remote Access Server Allows File Access
Publication date: 2026-02-26
Last updated on: 2026-02-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| videolan | vlc_for_android | to 3.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in VideoLAN VLC for Android versions prior to 3.7.0. It is a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download.
The issue arises because the file query parameter is concatenated directly into a filesystem path under the configured download directory without proper canonicalization or directory containment checks.
This allows an authenticated attacker who can reach the Remote Access Server over the network to request files outside the intended download directory.
How can this vulnerability impact me? :
The impact of this vulnerability is limited by the Android application sandbox and storage restrictions.
Typically, this means that an attacker can only access files within the app's internal storage or app-specific external storage, not the entire device filesystem.
However, an authenticated attacker with network access to the Remote Access Server could potentially access sensitive files stored within these app-specific areas.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Remote Access Server in VLC for Android prior to version 3.7.0, specifically the authenticated GET /download endpoint with a file query parameter that allows path traversal.
To detect this vulnerability on your network or system, you can monitor or capture HTTP requests to the Remote Access Server on VLC for Android instances and look for suspicious GET requests to the /download endpoint where the file parameter contains directory traversal patterns such as "../".
Example commands to detect such attempts could include using network traffic analysis tools like tcpdump or Wireshark to filter HTTP GET requests to the /download endpoint, or using curl or wget to test the endpoint manually if you have authenticated access.
- Using tcpdump to capture HTTP GET requests to /download endpoint: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'GET /download'
- Using curl to test for path traversal (replace <host> and <auth_token>): curl -H 'Authorization: Bearer <auth_token>' 'http://<host>/download?file=../../../../etc/passwd'
- Using Wireshark to filter HTTP GET requests with 'http.request.uri contains "/download" and http.request.method == "GET"'
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade VLC for Android to version 3.7.0 or later, where this path traversal vulnerability has been fixed.
Until the upgrade can be applied, restrict network access to the Remote Access Server feature of VLC for Android to trusted users only, as the vulnerability requires authentication and network reachability.
Additionally, consider disabling the Remote Access Server feature if it is not needed, to reduce the attack surface.