Unauthenticated Access to Private Playlists in Invidious

Executive Summary

CVE-2026-57946 is a broken access control vulnerability in Invidious versions before 2.20260626.0. It allows unauthenticated attackers to access private playlist contents by using the RSS feed playlist endpoint without any authentication.

Specifically, attackers can supply a playlist ID to the RSS feed endpoint and retrieve the full playlist details, including the playlist title, all associated videos, and the owner's email address embedded in the feed. This happens because the RSS feed endpoint does not enforce privacy settings for Invidious-native playlists, unlike other access methods that correctly restrict access.

While brute-forcing playlist IDs is difficult due to their cryptographic randomness, if an attacker obtains a playlist ID (for example, from a shared link or browser history), they can exploit this flaw to view private information without authorization.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of private playlist contents and the owner's email address.

• Exposure of private playlist details that users expect to remain confidential.
• Leakage of the owner's email address, which could be used for phishing or account enumeration attacks.
• Potential privacy violations if sensitive or personal video content is included in private playlists.

Overall, the vulnerability undermines user privacy and trust by bypassing intended access controls on private data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the RSS feed playlist endpoint without authentication using a known or suspected private playlist ID. If the private playlist contents, including the owner's email address and video entries, are returned without requiring authentication, the system is vulnerable.

A practical detection method is to send an HTTP GET request to the endpoint `/feed/playlist/:plid` where `:plid` is a playlist ID. If the response includes private playlist details, the vulnerability exists.

Example command using curl to test a playlist ID (replace PLAYLIST_ID with an actual ID):

• curl -i https://your-invidious-instance/feed/playlist/PLAYLIST_ID

If the response contains playlist details and the owner's email address without authentication, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Invidious to version 2.20260626.0 or later, where this vulnerability has been fixed.

The fix ensures that private playlists accessed via the RSS feed endpoint return an error message or a 404 response if the requester is not the playlist owner, preventing unauthorized access.

If upgrading immediately is not possible, restrict access to the RSS feed playlist endpoint or implement additional access controls to prevent unauthenticated access to private playlists.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to access private playlist contents and the owner's email address without authentication. This unauthorized disclosure of personal data, such as email addresses, could lead to violations of data protection regulations like GDPR, which require protection of personal information and restrict unauthorized access.

Because private data is exposed through a broken access control mechanism, organizations using affected versions of Invidious may face compliance risks related to confidentiality and privacy requirements mandated by standards such as GDPR and HIPAA.

The exposure of owner email addresses and private playlist contents could facilitate phishing attacks or account enumeration, further increasing the risk of non-compliance with regulations that mandate safeguarding user data.

Useful 0 Not Useful 0