Description
MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view.
Published: 2026-01-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Database Export
Action: Apply Patch
AI Analysis

Impact

MyTube is a self‑hosted downloader and player that, up to version 1.7.78, does not check user authorisation on the database export endpoint, allowing guest users to retrieve the entire application database. This behaviour can expose sensitive data that should remain confidential, thereby compromising the integrity and confidentiality of the system. The flaw is a classic authorisation bypass (CWE-862).

Affected Systems

Frank Lioxygen’s MyTube. All released versions 1.7.78 and earlier are vulnerable. Users of these versions should identify whether they are still running a susceptible build and consider upgrading to a safe version if available.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. The EPSS score of less than 1% suggests that immediate exploitation is unlikely, yet the lack of a KEV listing means no known active exploits are documented. The likely attack vector is remote, via the application’s web interface, and does not require user credentials beyond guest access. Once the endpoint is triggered, attackers can obtain the full database, which may contain user credentials, configuration details, or other sensitive data. The impact remains confined to systems that still host an affected MyTube instance.

Generated by OpenCVE AI on April 18, 2026 at 03:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MyTube to a version newer than 1.7.78 to remove the export endpoint flaw
  • If an upgrade is not immediately possible, disable the database export function for guest users or restrict gateway access to authenticated users only
  • Verify that the application’s access controls are correctly configured and monitor server logs for attempts to hit the export endpoint

Generated by OpenCVE AI on April 18, 2026 at 03:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:franklioxygen:mytube:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Franklioxygen
Franklioxygen mytube
Vendors & Products Franklioxygen
Franklioxygen mytube

Sat, 24 Jan 2026 00:00:00 +0000

Type Values Removed Values Added
Description MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view.
Title MyTube Allows Unauthorized Database Export by Guest Users
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Franklioxygen Mytube
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T16:18:05.863Z

Reserved: 2026-01-21T18:38:22.475Z

Link: CVE-2026-24139

cve-icon Vulnrichment

Updated: 2026-01-26T16:15:54.907Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T00:15:49.313

Modified: 2026-02-02T13:26:40.357

Link: CVE-2026-24139

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:15:35Z

Weaknesses