CVE-2026-58447 MEDIUM

CVE-2026-58447: Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check

Vendor Iv-Org
Product Invidious
Weakness CWE-639 · IDOR
Published June 30, 2026
Last update June 30, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.

Key dates

02Disclosure timeline

June 30, 2026 CVE published