Description
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. Version 1.8.71 fixes the issue.
Published: 2026-03-27
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Full administrative privilege escalation
Action: Immediate patch
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to register an arbitrary passkey. The application exposes passkey registration endpoints without authentication. Once a passkey is registered the system issues an administrator token, thus giving the attacker full admin rights. This privileged escalation is a direct consequence of the CWE‑284 security flaw, where an actor gains unauthorized access to privileged resources.

Affected Systems

The affected product is MyTube, a self‑hosted video downloader and player from franklioxygen. Versions prior to 1.8.71 are vulnerable; the issue was resolved in release 1.8.71. All earlier releases, including 1.8.70 and earlier, could be compromised through the described endpoint.

Risk and Exploitability

The CVSS base score of 8.9 classifies this as a high‑severity vulnerability. EPSS data is not available, and the exploit is not listed in the CISA KEV catalog. Attackers only need network access to the MyTube instance; no prior authentication is required. The exploit path is straightforward: contact the passkey registration endpoint, register any key, authenticate, and receive an admin session. Due to the lack of authentication checks, the risk of exploitation is high for exposed systems.

Generated by OpenCVE AI on March 27, 2026 at 06:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MyTube to version 1.8.71 or later to eliminate the vulnerability.
  • If an upgrade cannot be performed immediately, block or remove the passkey registration endpoints from public reach using firewall or web‑server access restrictions.
  • Monitor the application for any unauthorized passkey registrations and invalidate known keys if needed.

Generated by OpenCVE AI on March 27, 2026 at 06:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Franklioxygen
Franklioxygen mytube
Vendors & Products Franklioxygen
Franklioxygen mytube

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. Version 1.8.71 fixes the issue.
Title MyTube has an Unauthenticated Admin Privilege Escalation via Passkey Registration
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Franklioxygen Mytube
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T13:49:59.015Z

Reserved: 2026-03-24T15:10:05.682Z

Link: CVE-2026-33890

cve-icon Vulnrichment

Updated: 2026-03-27T13:19:01.769Z

cve-icon NVD

Status : Received

Published: 2026-03-27T01:16:21.493

Modified: 2026-03-27T15:16:59.123

Link: CVE-2026-33890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:30Z

Weaknesses