プラットフォーム
nginx
コンポーネント
nginx
修正版
1.7.67
1.7.67
CVE-2026-23837 is an authentication bypass vulnerability discovered in MyTube, a self-hosted downloader and player. This flaw allows unauthenticated users to bypass the authentication check, granting them unauthorized access to sensitive application settings and user data. The vulnerability impacts versions of MyTube up to and including 1.7.66, and specifically those configured with login enabled. A patch is required to resolve this issue.
The impact of CVE-2026-23837 is significant. An attacker exploiting this vulnerability can directly access and modify the /api/settings endpoint without authentication. This allows them to alter application configurations, change administrative and visitor passwords, and potentially gain complete control over the MyTube instance. The lack of authentication enforcement means any user who can send HTTP requests to the MyTube server is potentially vulnerable. This bypass circumvents the intended security measures designed to protect sensitive data and administrative functions, creating a high-risk scenario for data breaches and unauthorized modifications.
CVE-2026-23837 was publicly disclosed on 2026-01-19. The vulnerability's simplicity and the lack of authentication requirements suggest a relatively low barrier to exploitation. While no public proof-of-concept (PoC) has been identified as of the publication date, the ease of exploitation makes it a potential target for opportunistic attackers. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations and individuals running MyTube with loginEnabled: true are at significant risk. This includes those deploying MyTube in shared hosting environments, as the vulnerability can be exploited remotely without requiring local access. Legacy configurations that haven't been updated recently are also particularly vulnerable.
• nginx / server:
# Check access logs for requests to /api/settings without a valid authentication cookie
grep "/api/settings" /var/log/nginx/access.log | grep -v "Cookie:"• generic web:
# Check response headers for unexpected behavior when accessing /api/settings without authentication
curl -I http://your-mytube-instance/api/settingsdisclosure
エクスプロイト状況
EPSS
0.33% (55% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-23837 is to upgrade MyTube to a patched version. As of the publication date, a specific fixed version is not provided, so it is crucial to monitor the MyTube project's official channels for updates. In the interim, consider implementing a Web Application Firewall (WAF) rule to block requests to /api/settings without a valid authentication cookie. Additionally, carefully review and restrict access to the MyTube server to minimize the potential attack surface. Verify the upgrade by attempting to access /api/settings without providing an authentication cookie after the upgrade; access should be denied.
Actualice MyTube a la versión 1.7.66 o posterior. Si no puede actualizar inmediatamente, restrinja el acceso a los endpoints /api/ mediante un firewall o proxy inverso, o aplique el parche manualmente modificando el middleware roleBasedAuthMiddleware para que devuelva un error 401 cuando req.user sea indefinido.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-23837 is a critical vulnerability in MyTube versions ≤1.7.66 that allows unauthenticated users to bypass authentication and access sensitive application settings and user data.
You are affected if you are running MyTube version 1.7.66 or earlier, and have loginEnabled: true configured.
Upgrade MyTube to a patched version as soon as it becomes available. Monitor the MyTube project's official channels for updates.
While no active exploitation has been confirmed as of the publication date, the ease of exploitation makes it a potential target.
Refer to the MyTube project's official website and GitHub repository for the latest security advisories and updates.