CVE-2026-24139

MEDIUM

MyTube < 1.7.78 - Unauthenticated Database Export via Missing Authorization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-24139. PoCs published by p1ngul1n0.

AI-analyzed exploit summary The repository contains a functional proof-of-concept for an authorization bypass vulnerability (CVE-2026-24139) in MyTube, allowing guest users to download the application database via a crafted HTTP request. The PoC includes a curl command demonstrating the exploit.

Description

MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view.

Exploits (1)

github WORKING POC 1 stars
by p1ngul1n0 · poc
https://github.com/p1ngul1n0/security-research/tree/main/CVE-2026-24139.md

The repository contains a functional proof-of-concept for an authorization bypass vulnerability (CVE-2026-24139) in MyTube, allowing guest users to download the application database via a crafted HTTP request. The PoC includes a curl command demonstrating the exploit.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: MyTube (version not specified)
Auth required
Prerequisites: valid authentication token (mytube_auth_token)
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.5
EPSS 0.0032
EPSS Percentile 23.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-862
Status published
Products (1)
franklioxygen/mytube < 1.7.78
Published Jan 24, 2026
Tracked Since Feb 18, 2026