Description
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability.
Published: 2026-03-27
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via global account lockout
Action: Apply Patch
AI Analysis

Impact

MyTube’s authentication layer exposes three independent password‑verification endpoints that all rely on a single shared file to track login attempts. When any endpoint records a failed login, it increments a global counter and starts a cooldown period. Because the same counter and timer are consulted by every endpoint before accepting a password, an unauthenticated attacker can send repeated bad credentials to any of these endpoints and progressively raise the lockout duration. The attacker may then cycle the cooldown to maintain a 24‑hour lockout for all users, effectively denying legitimate administrators and visitors from logging in. This vulnerability falls under Weak Authentication (CWE‑307) and results in a denial of service for all accounts.

Affected Systems

The flaw affects Franklioxygen’s MyTube product up to and including version 1.8.71. The vulnerable behavior is present in all publicly accessible password‑verification endpoints of the backend service. A fix was introduced in release 1.8.72, which removes the shared login‑attempt state and resets the counter per endpoint.

Risk and Exploitability

The CVSS base score of 7.7 indicates high availability impact and requires no privileged access, making the threat moderate but significant. No data is available on exploit probability, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting limited evidence of widespread exploitation. However, the attack path is straightforward: an unauthenticated user can abuse any of the three endpoints via simple HTTP requests to a publicly reachable MyTube instance to trigger and maintain the lockout.

Generated by OpenCVE AI on March 27, 2026 at 07:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MyTube to version 1.8.72 or later to eliminate the shared login‑attempt flaw
  • Confirm that every password‑verification endpoint has the updated logic and that no legacy state files remain
  • Monitor authentication logs for abnormal spikes or repeated failed attempts as an early sign of abuse
  • If immediate upgrade is not possible, block external traffic to the public login endpoints using firewall or network rules until the update is applied
  • Consider enabling per‑endpoint lockout policies or disabling unauthenticated access to the affected endpoints as a temporary defense

Generated by OpenCVE AI on March 27, 2026 at 07:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Franklioxygen
Franklioxygen mytube
Vendors & Products Franklioxygen
Franklioxygen mytube

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability.
Title MyTube has Unauthenticated Account Lockout via Shared Login Attempt State
Weaknesses CWE-307
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Franklioxygen Mytube
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T00:43:49.590Z

Reserved: 2026-03-24T19:50:52.103Z

Link: CVE-2026-33935

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T01:16:21.647

Modified: 2026-03-27T01:16:21.647

Link: CVE-2026-33935

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:29Z

Weaknesses