VideoLAN VLC for Android Remote Access OTP Authentication Bypass Vulnerability

Vulnerability

An authentication bypass vulnerability has been identified in VideoLAN VLC for Android versions prior to 3.7.0. This issue arises in the Remote Access Server feature, where inadequate rate limiting on one-time password (OTP) verification allows an attacker to repeatedly attempt OTP validation. The Remote Access Server utilizes a 4-digit OTP but fails to implement effective throttling or lockout measures within the OTP's validity period. As a result, an attacker with network access to the server can exploit this flaw to gain unauthorized access to the Remote Access interface, specifically to media files shared by the VLC for Android user.

Impact

Exploitation of this vulnerability allows for unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user.

Added: Feb 26, 2026, 6:40 PM

Updated: Feb 26, 2026, 7:42 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

6.2

remediation

0.0

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

6.2

remediation

0.0

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

VideoLAN VLC for Android Remote Access OTP Authentication Bypass Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating