CVE-2026-33890

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. Version 1.8.71 fixes the issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/franklioxygen/MyTube/commit/d6c1275a7ff7ffd3d51b53c333237f4d572580ac	Patch
https://github.com/franklioxygen/MyTube/security/advisories/GHSA-378w-xh68-qrc8	Exploit Vendor Advisory
https://github.com/franklioxygen/MyTube/security/advisories/GHSA-378w-xh68-qrc8	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:franklioxygen:mytube:*:*:*:*:*:*:*:*

History

01 Apr 2026, 13:44

Type	Values Removed	Values Added
References	~~() https://github.com/franklioxygen/MyTube/commit/d6c1275a7ff7ffd3d51b53c333237f4d572580ac -~~	() https://github.com/franklioxygen/MyTube/commit/d6c1275a7ff7ffd3d51b53c333237f4d572580ac - Patch
References	~~() https://github.com/franklioxygen/MyTube/security/advisories/GHSA-378w-xh68-qrc8 -~~	() https://github.com/franklioxygen/MyTube/security/advisories/GHSA-378w-xh68-qrc8 - Exploit, Vendor Advisory
First Time		Franklioxygen Franklioxygen mytube
CPE		cpe:2.3:a:franklioxygen:mytube::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

27 Mar 2026, 15:16

Type	Values Removed	Values Added
Summary		(es) MyTube es un descargador y reproductor autoalojado para varios sitios web de video. Antes de la versión 1.8.71, un atacante no autenticado puede registrar una clave de acceso arbitraria y posteriormente autenticarse con ella para obtener una sesión de administrador completa. La aplicación expone puntos finales de registro de clave de acceso sin requerir autenticación previa. Cualquier clave de acceso autenticada con éxito recibe automáticamente un token de administrador, permitiendo acceso administrativo completo a la aplicación. Esto permite un compromiso completo de la aplicación sin requerir ninguna credencial existente. La versión 1.8.71 corrige el problema.
References	~~() https://github.com/franklioxygen/MyTube/security/advisories/GHSA-378w-xh68-qrc8 -~~	() https://github.com/franklioxygen/MyTube/security/advisories/GHSA-378w-xh68-qrc8 -

27 Mar 2026, 01:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-27 01:16

Updated : 2026-04-01 13:44

NVD link : CVE-2026-33890

Mitre link : CVE-2026-33890

CVE.ORG link : CVE-2026-33890

JSON object : View

Products Affected

franklioxygen

mytube

CWE

CWE-284

Improper Access Control

9.8 /10