CVE-2026-23837 is an incorrect authorization vulnerability (CWE-863) affecting franklioxygen's MyTube, a self-hosted downloader and player for multiple video websites. The flaw exists in the roleBasedAuthMiddleware component of MyTube versions before 1.7.66, where the middleware fails to properly verify user authentication. Specifically, if an attacker sends a request without an authentication cookie, the req.user object is undefined, but the middleware erroneously calls next() instead of blocking the request. This logic flaw allows unauthenticated users to bypass mandatory authentication checks and gain unauthorized access to protected API endpoints such as /api/settings. Through these endpoints, attackers can alter application settings, reset administrative and visitor passwords, and access other sensitive routes that rely on this middleware for access control. The vulnerability affects all instances running MyTube with loginEnabled set to true. The issue was patched in version 1.7.66 by modifying the middleware to explicitly return a 401 Unauthorized error when req.user is undefined. Until users upgrade, mitigations include restricting network access to API endpoints using firewalls or reverse proxies like Nginx, or manually patching the middleware source code to enforce proper authentication checks. The vulnerability has a CVSS 3.1 base score of 9.8, indicating critical severity due to its network attack vector, lack of required privileges or user interaction, and full impact on confidentiality, integrity, and availability. No known exploits in the wild have been reported yet, but the flaw’s simplicity and severity make it a high-risk target for attackers.

For European organizations, this vulnerability poses a critical risk to the confidentiality, integrity, and availability of MyTube instances. Unauthorized access to administrative settings can lead to complete takeover of the application, allowing attackers to manipulate content, disrupt services, or pivot to other internal systems. Organizations in media production, education, and digital content distribution that rely on MyTube for video management are particularly vulnerable. The ability to change passwords and settings without authentication can result in data breaches, service outages, and reputational damage. Given the critical CVSS score and ease of exploitation, unpatched MyTube deployments in Europe could be quickly compromised, especially in environments with internet-facing instances or insufficient network segmentation. The impact extends to compliance risks under GDPR if personal data is exposed or altered. The lack of user interaction and authentication requirements means attackers can automate exploitation at scale, increasing the threat to European entities.

1. Immediate upgrade of all MyTube instances to version 1.7.66 or later is the most effective mitigation. 2. Until upgrade is possible, restrict access to /api/ endpoints using network-level controls such as firewalls or reverse proxies (e.g., Nginx) to allow only trusted IP addresses. 3. For organizations with development resources, manually patch the roleBasedAuthMiddleware by modifying the logic to return a 401 Unauthorized error when req.user is undefined instead of calling next(). 4. Conduct thorough audits of MyTube configurations to ensure loginEnabled is set to true and verify no instances are running vulnerable versions. 5. Monitor logs for unusual access patterns to /api/settings or other protected routes that could indicate exploitation attempts. 6. Implement network segmentation to isolate MyTube servers from critical infrastructure. 7. Educate administrators on the importance of timely patching and secure configuration management. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized API requests targeting MyTube endpoints.