CVE-2026-58447
Received Received - Intake

Invidious Playlist Video Deletion Authorization Bypass

Vulnerability report for CVE-2026-58447, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: VulnCheck

Description

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
invidious invidious to 2.20260626.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Invidious through version 2.20260626.0 and is a broken object level authorization issue. It allows authenticated attackers to delete videos from other users' playlists by providing an arbitrary global video index in the remove_video action of the playlist endpoint.

Attackers can find the per-video index values from the public playlist JSON API and then use these values to delete videos from playlists they do not own, as there is no ownership validation in place.

Impact Analysis

This vulnerability can impact you by allowing unauthorized deletion of videos from your playlists by other authenticated users. This means your curated playlists could be tampered with or permanently altered without your consent.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58447. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart