CVE-2026-23837

Name of the Vulnerable Software and Affected Versions MyTube versions prior to 1.7.66

Description MyTube is a self-hosted downloader and player for several video websites. A flaw allows unauthenticated users to bypass the authentication check in the roleBasedAuthMiddleware. By not providing an authentication cookie, a request is incorrectly passed to downstream handlers. All users running MyTube with loginEnabled: true are impacted. This allows an attacker to access and modify application settings via the /api/settings endpoint, change administrative and visitor passwords, and access other protected routes that rely on this middleware. The issue is related to a default to next() in the roleBasedAuthMiddleware when req.user is undefined.

Recommendations Upgrade to MyTube version 1.7.66 or later. As a temporary workaround, restrict network access to the /api/ endpoints to trusted IP addresses using a firewall or reverse proxy. If comfortable editing the source code, manually patch the roleBasedAuthMiddleware to ensure it returns a 401 Unauthorized error when req.user is undefined, instead of calling next().