CVE-2026-57946
LowCVSS 3.7Summary
A broken access control vulnerability in Invidious before version 2.20260626.0 allows unauthenticated attackers to retrieve private playlist contents via the RSS feed playlist endpoint. Attackers can supply a playlist ID to obtain the full playlist contents, owner email address, and associated video entries without authentication.
Risk Assessment
The risk involves exposure of sensitive user data, including email addresses and private playlist contents, potentially leading to privacy breaches and social engineering attacks.
Recommendation
Immediately upgrade Invidious to version 2.20260626.0 or later, which includes a fix for the access control flaw.
Original NVD description (English source)
Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain the full playlist contents, owner email address, and associated video entries without any authentication.

