CVE-2026-26228 Overview
CVE-2026-26228 is a path traversal vulnerability affecting VideoLAN VLC for Android prior to version 3.7.0. The vulnerability exists in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory without proper canonicalization or directory containment checks. This allows an authenticated attacker with network reachability to the Remote Access Server to request files outside the intended directory.
Critical Impact
Authenticated attackers can traverse directory structures to access sensitive files outside the intended download directory, though impact is bounded by the Android application sandbox and storage restrictions.
Affected Products
- VideoLAN VLC for Android versions prior to 3.7.0
- VLC Android Remote Access Server component
- Devices running VLC for Android with Remote Access Server enabled
Discovery Timeline
- 2026-02-26 - CVE-2026-26228 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-26228
Vulnerability Analysis
This path traversal vulnerability (CWE-22) affects the Remote Access Server feature in VLC for Android. When a user enables the Remote Access Server functionality to stream or access media files over the network, the application exposes an authenticated HTTP endpoint at GET /download. The vulnerability stems from insufficient input validation on the file query parameter, which is directly concatenated to a base directory path without proper sanitization.
The absence of path canonicalization routines means that special directory traversal sequences like ../ are not neutralized before the file path is resolved. Additionally, there are no containment checks to ensure the resolved path remains within the designated download directory boundary.
While the vulnerability requires authentication to exploit, an attacker who has valid credentials or can intercept/obtain them could leverage this flaw to read files outside the intended directory scope. The practical impact is constrained by Android's application sandbox model and storage permission restrictions, typically limiting file access to app-internal storage and app-specific external storage directories.
Root Cause
The root cause of CVE-2026-26228 is improper input validation in the file download endpoint handler. The file query parameter value is directly appended to the configured download directory path without applying path canonicalization functions (such as resolving .. sequences) or implementing directory containment validation. This classic path traversal pattern allows directory escape through relative path manipulation.
Attack Vector
The attack is network-based, requiring the attacker to have network reachability to the VLC Remote Access Server and valid authentication credentials. An attacker would craft a malicious HTTP GET request to the /download endpoint with a file parameter containing directory traversal sequences (e.g., ../../sensitive_file). The server would then resolve this to a path outside the intended download directory and return the file contents if accessible within the Android sandbox constraints.
The exploitation requires:
- Remote Access Server feature to be enabled on the target VLC installation
- Network connectivity to the server (typically same local network)
- Valid authentication credentials
- Target files to be accessible within Android's sandbox permissions
Detection Methods for CVE-2026-26228
Indicators of Compromise
- HTTP requests to VLC Remote Access Server /download endpoint containing ../ or URL-encoded equivalents (%2e%2e%2f) in the file parameter
- Unusual file access patterns in VLC application logs showing requests for paths outside the download directory
- Network traffic showing repeated access attempts to the /download endpoint with varying traversal depths
Detection Strategies
- Monitor HTTP request logs for the Remote Access Server for path traversal patterns in query parameters
- Implement network intrusion detection rules to flag requests containing directory traversal sequences targeting VLC endpoints
- Review application logs for file access attempts that resolve to unexpected directories
Monitoring Recommendations
- Enable verbose logging on VLC Remote Access Server if available to capture request details
- Deploy network monitoring to detect anomalous traffic patterns to devices running VLC with Remote Access enabled
- Regularly audit which devices on the network have VLC Remote Access Server enabled and exposed
How to Mitigate CVE-2026-26228
Immediate Actions Required
- Update VLC for Android to version 3.7.0 or later immediately
- Disable the Remote Access Server feature if not actively needed until the update can be applied
- Review network access controls to limit which devices can reach VLC Remote Access Server instances
- Audit authentication credentials for the Remote Access Server and ensure strong, unique passwords are in use
Patch Information
VideoLAN has addressed this vulnerability in VLC for Android version 3.7.0. Users should update through the Google Play Store or download the latest version directly from the official VideoLAN download page. Release notes are available on the GitHub VLC Android Release 3.7.0 page.
Workarounds
- Disable the Remote Access Server feature in VLC for Android settings until the update is applied
- Restrict network access to devices running VLC by using firewall rules or network segmentation
- Limit the Remote Access Server to trusted networks only (avoid enabling on public Wi-Fi)
- If Remote Access must remain enabled, ensure strong authentication credentials are configured and regularly rotated
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
