CVE-2026-23848 is a vulnerability identified in the MyTube application, a self-hosted downloader and player for multiple video websites, maintained by franklioxygen. Versions prior to 1.7.71 are affected by a rate limiting bypass vulnerability due to improper validation of the X-Forwarded-For HTTP header. The application uses IP-based rate limiting to protect API endpoints from abuse and denial of service attacks. However, it relies on the X-Forwarded-For header, which can be manipulated by unauthenticated attackers to spoof arbitrary client IP addresses. This allows attackers to circumvent the rate limiting controls, effectively enabling unlimited requests to general API endpoints and other rate-limited features. The vulnerability is classified under CWE-807, indicating reliance on untrusted inputs in security decisions. The CVSS v3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact but potential availability impact. The flaw does not require authentication, making it accessible to any remote attacker. The vendor addressed this issue in MyTube version 1.7.71 by correcting the handling of the X-Forwarded-For header to prevent spoofing and enforce proper rate limiting. No known exploits are reported in the wild as of the publication date. The vulnerability primarily threatens availability by enabling denial of service through excessive requests, and to a lesser extent, confidentiality due to potential API abuse. Integrity is not impacted. The issue highlights the risk of trusting client-supplied HTTP headers for security controls without proper validation or fallback mechanisms.

For European organizations deploying MyTube internally or as part of their media infrastructure, this vulnerability poses a risk of service disruption due to denial of service attacks. Attackers can bypass rate limits and overwhelm API endpoints, potentially degrading service availability for legitimate users. This can affect business continuity, user experience, and operational efficiency. While confidentiality impact is limited, abuse of API endpoints could lead to indirect information exposure or resource exhaustion. Organizations relying on MyTube for video content delivery or internal media management may face increased operational risks and potential reputational damage if exploited. The vulnerability's ease of exploitation and unauthenticated access increase the likelihood of opportunistic attacks, especially in environments exposed to the internet or untrusted networks. European entities with regulatory obligations around service availability and data protection should prioritize mitigation to avoid compliance issues. The impact is more pronounced for organizations with high usage of MyTube or those integrating it into critical workflows.

European organizations should immediately upgrade MyTube installations to version 1.7.71 or later to apply the official patch that corrects the X-Forwarded-For header handling and enforces proper rate limiting. Until upgrades are completed, network-level mitigations should be implemented, such as deploying web application firewalls (WAFs) or reverse proxies that validate or strip suspicious X-Forwarded-For headers to prevent spoofing. Rate limiting should be enforced based on more reliable client identification methods, such as authenticated sessions or token-based mechanisms, rather than solely on IP addresses. Monitoring and alerting on unusual API request patterns can help detect exploitation attempts early. Organizations should also review and restrict network exposure of MyTube instances, limiting access to trusted internal networks or VPNs where possible. Regular security assessments and penetration testing focused on API abuse and header manipulation can identify residual risks. Finally, educating administrators about the risks of trusting client-supplied headers in security decisions will help prevent similar issues in other applications.