CVE-2026-33890
CRITICALMyTube <1.8.71 Passkey Registration - Admin Privilege Escalation
Title source: manualDescription
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. Version 1.8.71 fixes the issue.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/franklioxygen/MyTube/security/advisories/GHSA-378w-xh68-qrc8
X_Refsource_Misc x_refsource_misc
https://github.com/franklioxygen/MyTube/commit/d6c1275a7ff7ffd3d51b53c333237f4d572580ac
Scores
CVSS v3
9.8
EPSS
0.0049
EPSS Percentile
38.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-284
Status
published
Products (2)
franklioxygen/mytube
< 1.8.71
franklioxygen/MyTube
< 1.8.71
Published
Mar 27, 2026
Tracked Since
Mar 27, 2026