Executive Summary

CVE-2026-50019 is a moderate severity vulnerability in yt-dlp versions from 2023.09.24 to 2026.06.08 that occurs when curl is used as an external downloader.

The issue arises because cookies are passed to curl via the --cookie option without activating curl's cookie engine, causing curl to send cookies to unintended domains during HTTP redirects or when the host for download fragments differs from the parent manifest's host.

An attacker can exploit this by crafting a malicious URL that redirects from a trusted site to an attacker-controlled server, causing sensitive cookies to be leaked.

This vulnerability was fixed in yt-dlp version 2026.06.09 by changing how cookies are passed to curl, using stdin, /dev/fd/0, or temporary files.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the leakage of sensitive cookies to unintended or attacker-controlled hosts.

Such cookie leaks can compromise user confidentiality by exposing session or authentication information.

The CVSS score of 6.1 indicates a moderate risk with high confidentiality impact but no impact on integrity or availability.

Exploitation requires user interaction but no special privileges, and the attack complexity is high.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying usage of vulnerable yt-dlp versions (2023.09.24 to 2026.06.08) that use curl as an external downloader.

You can check the yt-dlp version installed on your system with the command:

• yt-dlp --version

To detect if cookie leakage is occurring during downloads, monitor network traffic for HTTP redirects or requests to domains different from the original manifest host that include cookie headers.

Using tools like tcpdump or Wireshark, you can filter HTTP requests with cookies sent to unexpected domains. For example, with tcpdump:

• tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep 'Cookie:'

Additionally, review yt-dlp command invocations to see if curl is used as an external downloader with the --external-downloader curl option.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade yt-dlp to version 2026.06.09 or later, where the vulnerability is fixed.

This update modifies how cookies are passed to curl, preventing cookie leakage by using stdin, /dev/fd/0, or temporary files instead of the vulnerable --cookie method.

Until you can upgrade, avoid using curl as an external downloader with yt-dlp or avoid downloading from untrusted sources that may cause redirects.

Also, consider monitoring network traffic for suspicious cookie leaks as a temporary detection measure.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability in yt-dlp can lead to the leakage of cookies to unintended hosts, potentially exposing sensitive user information. Such unauthorized disclosure of data could impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized access or sharing.

Since cookies may contain personal or session-related data, their leakage to attacker-controlled domains could be considered a breach of confidentiality obligations under these standards. Organizations using vulnerable versions of yt-dlp might face increased risk of non-compliance due to this exposure.

The vulnerability has a high confidentiality impact but does not affect integrity or availability, highlighting the risk primarily relates to unauthorized data disclosure.

Mitigation by upgrading to the patched version (2026.06.09 or later) is essential to maintain compliance and reduce the risk of data leakage.

Useful 0 Not Useful 0