Description
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability.
Published: 2026-03-27
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Denial of Service
Action: Patch Immediately
AI Analysis

Impact

An unauthenticated attacker can trigger successive failed login attempts against any of the three publicly exposed password verification endpoints in MyTube, causing a globally shared lockout counter to reach its maximum value. The resulting 24‑hour lockout blocks all administrator and visitor accounts from using password‑based authentication. This leads to a denial of service that can be sustained indefinitely by repeating the attack pattern, without any successful login occurring to reset the lockout.

Affected Systems

The vulnerability exists in the MyTube application from version 1.8.71 and earlier, as developed by franklioxygen. It affects all deployments of MyTube using the shared login attempt state mechanism, regardless of hosting environment, and can be exploited through any of the three publicly accessible login endpoints.

Risk and Exploitability

The issue carries a CVSS score of 7.7, indicating a high severity. The EPSS score is listed as below 1%, suggesting that widespread exploitation is currently unlikely, but the vulnerability is not included in the CISA KEV catalog. Attackers can perform the exploit without authentication by repeatedly sending invalid credentials to any endpoint, which is facilitated by the publicly exposed login routes. Once the lockout is triggered, the denial remains until the cooldown period expires or a successful login resets the counter.

Generated by OpenCVE AI on April 2, 2026 at 04:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MyTube to version 1.8.72 or later, the fixed release provided by the vendor.

Generated by OpenCVE AI on April 2, 2026 at 04:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:franklioxygen:mytube:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Franklioxygen
Franklioxygen mytube
Vendors & Products Franklioxygen
Franklioxygen mytube

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability.
Title MyTube has Unauthenticated Account Lockout via Shared Login Attempt State
Weaknesses CWE-307
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Franklioxygen Mytube
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T20:02:20.942Z

Reserved: 2026-03-24T19:50:52.103Z

Link: CVE-2026-33935

cve-icon Vulnrichment

Updated: 2026-03-27T20:02:16.543Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T01:16:21.647

Modified: 2026-04-01T13:42:53.700

Link: CVE-2026-33935

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:49Z

Weaknesses