CVE-2026-33890: CWE-284: Improper Access Control in franklioxygen MyTube
CVE-2026-33890 is a high-severity improper access control vulnerability in franklioxygen MyTube versions prior to 1. 8. 71. An unauthenticated attacker can register an arbitrary passkey via exposed endpoints without authentication and then use that passkey to gain full administrative access. This allows complete compromise of the application without needing any existing credentials. The issue is fixed in version 1. 8. 71.
AI Analysis
Technical Summary
MyTube, a self-hosted video downloader and player, exposes passkey registration endpoints without requiring authentication. Prior to version 1.8.71, this allows an unauthenticated attacker to register any passkey and subsequently authenticate with it, automatically receiving an administrator token. This improper access control (CWE-284) vulnerability enables full administrative access and complete compromise of the application. The vulnerability has a CVSS 4.0 base score of 8.9, indicating high severity. Version 1.8.71 addresses and fixes this issue.
Potential Impact
Exploitation of this vulnerability results in an unauthenticated attacker gaining full administrative privileges on the MyTube application, leading to complete compromise. This includes the ability to control all administrative functions without any prior credentials or authentication.
Mitigation Recommendations
Upgrade MyTube to version 1.8.71 or later, where this vulnerability is fixed. Since this is a self-hosted application, users must apply the update themselves. Patch status is confirmed fixed in version 1.8.71.
CVE-2026-33890: CWE-284: Improper Access Control in franklioxygen MyTube
Description
CVE-2026-33890 is a high-severity improper access control vulnerability in franklioxygen MyTube versions prior to 1. 8. 71. An unauthenticated attacker can register an arbitrary passkey via exposed endpoints without authentication and then use that passkey to gain full administrative access. This allows complete compromise of the application without needing any existing credentials. The issue is fixed in version 1. 8. 71.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
MyTube, a self-hosted video downloader and player, exposes passkey registration endpoints without requiring authentication. Prior to version 1.8.71, this allows an unauthenticated attacker to register any passkey and subsequently authenticate with it, automatically receiving an administrator token. This improper access control (CWE-284) vulnerability enables full administrative access and complete compromise of the application. The vulnerability has a CVSS 4.0 base score of 8.9, indicating high severity. Version 1.8.71 addresses and fixes this issue.
Potential Impact
Exploitation of this vulnerability results in an unauthenticated attacker gaining full administrative privileges on the MyTube application, leading to complete compromise. This includes the ability to control all administrative functions without any prior credentials or authentication.
Mitigation Recommendations
Upgrade MyTube to version 1.8.71 or later, where this vulnerability is fixed. Since this is a self-hosted application, users must apply the update themselves. Patch status is confirmed fixed in version 1.8.71.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T15:10:05.682Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c5da053c064ed76f01c446
Added to database: 3/27/2026, 1:14:45 AM
Last enriched: 4/3/2026, 1:43:11 PM
Last updated: 5/11/2026, 2:58:10 AM
Views: 75
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.