CVE-2026-26228
Received Received - Intake
Path Traversal in VLC Android Remote Access Server Allows File Access

Publication date: 2026-02-26

Last updated on: 2026-02-27

Assigner: VulnCheck

Description
VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory without canonicalization or directory containment checks, allowing an authenticated attacker with network reachability to the Remote Access Server to request files outside the intended directory. The impact is bounded by the Android application sandbox and storage restrictions, typically limiting exposure to app-internal and app-specific external storage.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26228
EUVD
EUVD-2026-8858
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
videolan vlc_for_android to 3.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in VideoLAN VLC for Android versions prior to 3.7.0. It is a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download.

The issue arises because the file query parameter is concatenated directly into a filesystem path under the configured download directory without proper canonicalization or directory containment checks.

This allows an authenticated attacker who can reach the Remote Access Server over the network to request files outside the intended download directory.

Impact Analysis

The impact of this vulnerability is limited by the Android application sandbox and storage restrictions.

Typically, this means that an attacker can only access files within the app's internal storage or app-specific external storage, not the entire device filesystem.

However, an authenticated attacker with network access to the Remote Access Server could potentially access sensitive files stored within these app-specific areas.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves the Remote Access Server in VLC for Android prior to version 3.7.0, specifically the authenticated GET /download endpoint with a file query parameter that allows path traversal.

To detect this vulnerability on your network or system, you can monitor or capture HTTP requests to the Remote Access Server on VLC for Android instances and look for suspicious GET requests to the /download endpoint where the file parameter contains directory traversal patterns such as "../".

Example commands to detect such attempts could include using network traffic analysis tools like tcpdump or Wireshark to filter HTTP GET requests to the /download endpoint, or using curl or wget to test the endpoint manually if you have authenticated access.

  • Using tcpdump to capture HTTP GET requests to /download endpoint: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'GET /download'
  • Using curl to test for path traversal (replace <host> and <auth_token>): curl -H 'Authorization: Bearer <auth_token>' 'http://<host>/download?file=../../../../etc/passwd'
  • Using Wireshark to filter HTTP GET requests with 'http.request.uri contains "/download" and http.request.method == "GET"'
Mitigation Strategies

The primary mitigation step is to upgrade VLC for Android to version 3.7.0 or later, where this path traversal vulnerability has been fixed.

Until the upgrade can be applied, restrict network access to the Remote Access Server feature of VLC for Android to trusted users only, as the vulnerability requires authentication and network reachability.

Additionally, consider disabling the Remote Access Server feature if it is not needed, to reduce the attack surface.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26228. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart