Low severity3.7NVD Advisory· Published Feb 26, 2026· Updated Apr 15, 2026
CVE-2026-26227
CVE-2026-26227
Description
VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: < 3.7.0
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.