CVE-2026-23848 is a vulnerability identified in the MyTube application, a self-hosted video downloader and player supporting multiple video websites. The flaw exists in versions prior to 1.7.71 and involves improper reliance on the X-Forwarded-For HTTP header for enforcing IP-based rate limiting on API endpoints. Attackers can spoof this header to impersonate arbitrary client IP addresses, thereby bypassing rate limits designed to restrict the number of requests from a single IP. This allows unauthenticated attackers to send unlimited requests to protected API endpoints, potentially overwhelming the service and causing denial-of-service (DoS) conditions. The vulnerability is classified under CWE-807, indicating reliance on untrusted inputs in security decisions. The CVSS v3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact but low integrity and availability impact. The patch in version 1.7.71 corrects this by properly validating or ignoring the X-Forwarded-For header for rate limiting purposes. No known exploits are currently reported in the wild. The vulnerability primarily threatens availability by enabling DoS attacks and could facilitate abuse of rate-limited features, potentially impacting service stability and user experience.

For European organizations using MyTube versions prior to 1.7.71, this vulnerability poses a risk of denial-of-service attacks that can disrupt access to video downloading and playback services. This could affect internal workflows relying on MyTube for media consumption or content processing, especially in media companies, educational institutions, or enterprises with self-hosted media solutions. The ability to bypass rate limits without authentication increases the risk of automated abuse, potentially leading to service outages or degraded performance. While confidentiality and integrity impacts are limited, availability disruptions could affect business continuity and user satisfaction. Organizations operating in sectors where video content delivery is critical may face operational and reputational damage. Additionally, if MyTube is exposed to the internet, attackers could exploit this vulnerability remotely without authentication, increasing the attack surface. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

European organizations should immediately upgrade MyTube installations to version 1.7.71 or later, where the vulnerability is patched. If upgrading is not immediately feasible, implement network-level controls to validate or strip the X-Forwarded-For header from incoming requests before they reach MyTube, ensuring that spoofed headers cannot influence rate limiting. Deploy Web Application Firewalls (WAFs) or reverse proxies configured to enforce rate limiting based on trusted client IPs or other reliable identifiers rather than headers that can be spoofed. Monitor API usage patterns for unusual spikes in request rates that may indicate exploitation attempts. Restrict access to MyTube API endpoints to trusted networks or VPNs where possible to reduce exposure. Conduct regular security audits and penetration tests focusing on header manipulation and rate limiting controls. Maintain up-to-date incident response plans to quickly address potential DoS attacks. Finally, educate administrators about the risks of trusting client-supplied headers for security decisions.