MyTube, a self-hosted video downloader and player supporting multiple video websites, suffers from an improper authorization vulnerability identified as CVE-2026-33735. This vulnerability exists in versions prior to 1.8.69 and specifically affects the /api/settings/import-database endpoint, among other POST routes. The flaw allows attackers possessing only low-privilege credentials to bypass authorization controls and upload a malicious SQLite database file, effectively replacing the application's entire database. This leads to a full compromise of the application, including potential data manipulation, unauthorized access, and persistent control over MyTube's functionality. The vulnerability stems from insufficient authorization checks (CWE-285) and improper handling of user input leading to authorization bypass (CWE-639). The CVSS 4.0 base score is 7.4, reflecting high severity due to network attack vector, low attack complexity, no required user interaction, and high impact on confidentiality, integrity, and availability. The vulnerability does not require elevated privileges beyond low-level access, making exploitation easier for attackers who have some form of authenticated access. The vendor addressed the issue in version 1.8.69 by correcting the authorization logic on the affected endpoints. No public exploits have been reported yet, but the risk remains significant for deployments running vulnerable versions.

The impact of CVE-2026-33735 is substantial for organizations using MyTube versions prior to 1.8.69. An attacker with low-privilege credentials can fully compromise the application by replacing its SQLite database, leading to unauthorized data access, data corruption, or persistent malicious control. This could result in leakage of sensitive user data, disruption of service availability, and potential lateral movement within the hosting environment if MyTube is integrated into larger systems. Since MyTube is self-hosted and may be used in various organizational contexts, the risk extends to any environment where the application is deployed without proper access controls or timely patching. The vulnerability's ease of exploitation and high impact on confidentiality, integrity, and availability make it a critical concern for administrators. Additionally, the authorization bypass on multiple POST endpoints increases the attack surface, potentially allowing attackers to manipulate other critical functions beyond database import. Organizations failing to upgrade or restrict access may face data breaches, service outages, and reputational damage.

To mitigate CVE-2026-33735, organizations should immediately upgrade MyTube to version 1.8.69 or later, where the authorization bypass has been fixed. Until upgrading is possible, restrict access to the /api/settings/import-database endpoint and other sensitive POST routes by implementing network-level controls such as IP whitelisting, VPN-only access, or firewall rules limiting access to trusted users. Enforce strong authentication and role-based access controls to ensure only authorized users have access to administrative or database import functions. Monitor application logs for unusual activity involving database imports or POST requests to sensitive endpoints. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized attempts to access these endpoints. Regularly audit user privileges and remove unnecessary low-privilege accounts that could be leveraged by attackers. Finally, maintain an up-to-date inventory of MyTube instances and ensure timely patch management processes to reduce exposure to known vulnerabilities.