Platform
sqlite
Component
mytube
Fixed in
1.8.70
CVE-2026-33735 describes an authorization bypass vulnerability discovered in MyTube, a self-hosted downloader and player. This flaw allows attackers with low-privilege credentials to completely overwrite the application’s SQLite database via the /api/settings/import-database endpoint, resulting in a full compromise of the application. The vulnerability affects versions of MyTube prior to 1.8.69, and a fix is available in version 1.8.69.
The impact of this vulnerability is severe. Successful exploitation allows an attacker to gain complete control over the MyTube application's data. By uploading a malicious SQLite database, an attacker could modify user credentials, video library information, and other critical settings. This could lead to unauthorized access to user accounts, data theft, and potentially the deployment of further malicious code within the compromised environment. The bypass extends to other POST routes, increasing the attack surface. The ability to replace the database effectively grants the attacker administrative privileges over the application’s functionality and data.
CVE-2026-33735 was publicly disclosed on 2026-03-27. There are currently no known public proof-of-concept exploits available, but the ease of exploitation makes it a potential target. Its inclusion in the CVE database suggests a moderate risk of exploitation. The vulnerability’s impact and relatively simple exploitation path warrant immediate attention.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33735 is to immediately upgrade MyTube to version 1.8.69 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider restricting access to the /api/settings/import-database endpoint to trusted users only. Implement robust authentication and authorization checks for all POST requests to prevent unauthorized database modifications. Regularly back up the SQLite database to facilitate restoration in case of a successful attack. After upgrading, confirm the fix by attempting to access the /api/settings/import-database endpoint with a low-privilege user account and verifying that the request is denied.
Update MyTube to version 1.8.69 or later. This version corrects the access control vulnerability that allows database manipulation. The update will prevent attackers with low privileges from compromising the application.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33735 is a critical authorization bypass vulnerability in MyTube versions prior to 1.8.69, allowing attackers to replace the application’s SQLite database with malicious content.
You are affected if you are running MyTube version 1.8.69 or earlier. Immediately check your version and upgrade if necessary.
Upgrade MyTube to version 1.8.69 or later to resolve this vulnerability. Restrict access to the /api/settings/import-database endpoint as a temporary workaround.
While no public exploits are currently known, the vulnerability’s ease of exploitation suggests a potential risk of active exploitation.
Refer to the MyTube project's official website or GitHub repository for the latest security advisories and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.