CVE-2026-33890

Name of the Vulnerable Software and Affected Versions MyTube versions prior to 1.8.71

Description MyTube is a self-hosted downloader and player for several video websites. Before version 1.8.71, an unauthenticated attacker could register an arbitrary passkey and subsequently authenticate with it to obtain a full administrator session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. The vulnerable endpoints are the passkey registration endpoints. The passkey is the vulnerable parameter.

Recommendations Versions prior to 1.8.71 should be updated to version 1.8.71 or later.