Platform
nginx
Component
nginx
Fixed in
1.7.67
1.7.67
CVE-2026-23837 is an authentication bypass vulnerability discovered in MyTube, a self-hosted downloader and player. This flaw allows unauthenticated users to bypass the authentication check, granting them unauthorized access to sensitive application settings and user data. The vulnerability impacts versions of MyTube up to and including 1.7.66, and specifically those configured with login enabled. A patch is required to resolve this issue.
The impact of CVE-2026-23837 is significant. An attacker exploiting this vulnerability can directly access and modify the /api/settings endpoint without authentication. This allows them to alter application configurations, change administrative and visitor passwords, and potentially gain complete control over the MyTube instance. The lack of authentication enforcement means any user who can send HTTP requests to the MyTube server is potentially vulnerable. This bypass circumvents the intended security measures designed to protect sensitive data and administrative functions, creating a high-risk scenario for data breaches and unauthorized modifications.
CVE-2026-23837 was publicly disclosed on 2026-01-19. The vulnerability's simplicity and the lack of authentication requirements suggest a relatively low barrier to exploitation. While no public proof-of-concept (PoC) has been identified as of the publication date, the ease of exploitation makes it a potential target for opportunistic attackers. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.33% (55% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-23837 is to upgrade MyTube to a patched version. As of the publication date, a specific fixed version is not provided, so it is crucial to monitor the MyTube project's official channels for updates. In the interim, consider implementing a Web Application Firewall (WAF) rule to block requests to /api/settings without a valid authentication cookie. Additionally, carefully review and restrict access to the MyTube server to minimize the potential attack surface. Verify the upgrade by attempting to access /api/settings without providing an authentication cookie after the upgrade; access should be denied.
Update MyTube to version 1.7.66 or later. If you cannot update immediately, restrict access to the /api/ endpoints using a firewall or reverse proxy, or apply the patch manually by modifying the roleBasedAuthMiddleware to return a 401 error when req.user is undefined.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23837 is a critical vulnerability in MyTube versions ≤1.7.66 that allows unauthenticated users to bypass authentication and access sensitive application settings and user data.
You are affected if you are running MyTube version 1.7.66 or earlier, and have loginEnabled: true configured.
Upgrade MyTube to a patched version as soon as it becomes available. Monitor the MyTube project's official channels for updates.
While no active exploitation has been confirmed as of the publication date, the ease of exploitation makes it a potential target.
Refer to the MyTube project's official website and GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.