CVE-2026-58447

MEDIUM 6.5

Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.

CWE	CWE-639
Vendor	iv-org
Product	invidious
Published	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for iv-org invidious

Be the first to know when new medium vulnerabilities affecting iv-org invidious are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

iv-org / Invidious

0 ≤ 2.20260626.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/iv-org/invidious/issues/5777 github.com: https://github.com/iv-org/invidious/pull/5790 github.com: https://github.com/iv-org/invidious/commit/77ad41678b45c4f6815940123f1796fc51259f45 vulncheck.com: https://www.vulncheck.com/advisories/invidious-cross-user-playlist-video-deletion-via-missing-ownership-check

Credits

George Chen