Platform
other
Component
mytube
Fixed in
1.8.72
CVE-2026-33890 describes a Privilege Escalation vulnerability affecting MyTube, a self-hosted downloader and player. An attacker can register a passkey without authentication and subsequently use it to obtain a full administrator session, leading to complete application compromise. This vulnerability impacts versions of MyTube prior to 1.8.71, and a fix is available in version 1.8.71.
This vulnerability allows an unauthenticated attacker to bypass authentication entirely and gain full administrative control over the MyTube application. An attacker could leverage this to modify application settings, access sensitive data stored within MyTube, inject malicious code, or even completely compromise the underlying server if MyTube is running with elevated privileges. The potential blast radius is significant, as a successful exploit could lead to data breaches, service disruption, and further compromise of the system hosting MyTube. The lack of authentication requirements makes this vulnerability particularly concerning, as it can be exploited by anyone with network access to the MyTube instance.
CVE-2026-33890 was publicly disclosed on 2026-03-27. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's ease of exploitation suggests it could become a target for opportunistic attackers. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.27% (50% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33890 is to immediately upgrade MyTube to version 1.8.71 or later. If upgrading is not immediately feasible due to compatibility concerns or downtime requirements, consider implementing temporary workarounds. While a direct workaround isn't possible to prevent passkey registration without authentication, restricting network access to the MyTube instance to trusted users can reduce the attack surface. Monitor MyTube logs for suspicious passkey registration attempts. After upgrading, confirm the fix by attempting to register a passkey without authentication; the registration endpoint should now be protected.
Update MyTube to version 1.8.71 or later. This version corrects the vulnerability that allows unauthenticated attackers to obtain administrator privileges. The update prevents unauthorized access and potential manipulation of the application.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33890 is a vulnerability in MyTube versions prior to 1.8.71 that allows an unauthenticated attacker to register a passkey and gain full administrator access, leading to complete application compromise.
You are affected if you are running MyTube version 1.8.71 or earlier. Immediately check your version and upgrade if necessary.
Upgrade MyTube to version 1.8.71 or later to resolve this vulnerability. If immediate upgrade is not possible, restrict network access to the MyTube instance.
There is currently no confirmed evidence of active exploitation, but the ease of exploitation suggests it could become a target.
Refer to the MyTube project's official website or repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.