Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 30 Jun 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own. | |
| Title | Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check | |
| First Time appeared |
Iv Org
Iv Org invidious |
|
| Weaknesses | CWE-639 | |
| CPEs | cpe:2.3:a:iv_org:invidious:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Iv Org
Iv Org invidious |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-06-30T21:05:53.535Z
Reserved: 2026-06-30T19:09:07.025Z
Link: CVE-2026-58447
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-06-30T22:30:06Z
Weaknesses