7.1 HIGH
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Vulnerable System Impact Confidentiality (VC): None (N)
- Vulnerable System Impact Integrity (VI): High (H)
- Vulnerable System Impact Availability (VA): None (N)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Vulnerable System Impact Confidentiality (MVC): None (N)
- Modified Vulnerable System Impact Integrity (MVI): High (H)
- Modified Vulnerable System Impact Availability (MVA): None (N)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
- Exploit Maturity (E): Not Defined (X)
Activity log
- Created suggestion
Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check
Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.
References
-
-
Fix PR issue-tracking
-
Fix Commit patch
-
https://www.vulncheck.com/advisories/invidious-cross-user-playlist-video-deleti… third-party-advisory
Affected products
- =<2.20260626.0
- ==77ad41678b45c4f6815940123f1796fc51259f45
Matching in nixpkgs
pkgs.invidious
Open source alternative front-end to YouTube
-
nixos-unstable 2.20260207.0
- nixpkgs-unstable 2.20260207.0
- nixos-unstable-small 2.20260207.0
-
nixos-26.05 2.20260207.0
- nixos-26.05-small 2.20260207.0
- nixpkgs-26.05-darwin 2.20260207.0
pkgs.invidious-router
Go application that routes requests to different Invidious instances based on their health status and (optional) response time
Package maintainers
-
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>
-
@999eagle Sophie Tauchert <github@999eagle.moe>
-
@s1ls Silas Schöffel <sils@sils.li>
-
@cpages Carles Pagès <page@ruiec.cat>
-
@nvmd Sergey Kazenyuk <kazenyuk@pm.me>
-
@aanderse Aaron Andersen <aaron@fosslib.net>
-
@minijackson Rémi Nicole <minijackson@riseup.net>
-
@dschrempf Dominik Schrempf <dominik.schrempf@gmail.com>
-
@peterhoeg Peter Hoeg <peter@hoeg.com>