CVE-2026-58447

Source
https://cve.org/CVERecord?id=CVE-2026-58447
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58447.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58447
Published
2026-06-30T21:05:53.535Z
Modified
2026-07-15T01:49:14.428551526Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check
Details

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.

Database specific
{
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58447.json"
}
References

Affected packages

Git / github.com/iv-org/invidious

Affected ranges

Type
GIT
Repo
https://github.com/iv-org/invidious
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.20260626.0"
        }
    ]
}

Affected versions

0.*
0.1.0
0.10.0
0.11.0
0.12.0
0.13.0
0.13.1
0.14.0
0.14.1
0.15.0
0.16.0
0.17.0
0.18.0
0.19.0
0.19.1
0.2.0
0.20.0
0.20.1
0.3.0
0.4.0
0.5.0
0.6.0
0.7.0
0.8.0
0.9.0
v2.*
v2.20240427
v2.20240825.1
v2.20240825.2
v2.20241110.0
v2.20250314.0
v2.20250913.0
v2.20260207.0
v2.20260626.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58447.json"