The vulnerability identified as CVE-2026-33890 affects franklioxygen's MyTube, a self-hosted downloader and player for multiple video websites. Prior to version 1.8.71, the application exposes passkey registration endpoints that do not require any form of authentication. This design flaw allows an unauthenticated attacker to register an arbitrary passkey. Upon successful registration, the attacker can authenticate using this passkey and is automatically granted an administrator token, bypassing all access controls. This results in a full admin session, enabling the attacker to perform any administrative actions, including modifying configurations, accessing sensitive data, or disrupting service. The vulnerability stems from improper access control (CWE-284) where critical endpoints are accessible without authentication. The CVSS 4.0 vector indicates network attack vector, no authentication or user interaction required, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the vulnerability's nature makes it highly exploitable. The issue is resolved in MyTube version 1.8.71 by enforcing authentication on passkey registration endpoints and proper session token issuance.

The impact of this vulnerability is severe for organizations using MyTube versions prior to 1.8.71. An attacker can gain full administrative access without any credentials, leading to complete compromise of the application. This can result in unauthorized data access, manipulation or deletion of video content, disruption of service, and potential lateral movement within the hosting environment. Since MyTube is self-hosted, organizations may have sensitive or proprietary video content at risk. The compromise could also be leveraged to distribute malicious content or conduct further attacks on internal networks. The ease of exploitation and the critical access gained make this a significant threat to confidentiality, integrity, and availability of affected systems.

Organizations should immediately upgrade MyTube to version 1.8.71 or later, where the vulnerability is patched. Until the upgrade is applied, administrators should restrict network access to the passkey registration endpoints using firewall rules or network segmentation to prevent unauthenticated access. Monitoring and logging of authentication attempts and passkey registrations should be enhanced to detect suspicious activity. Implementing Web Application Firewalls (WAF) with rules to block unauthorized access to registration endpoints can provide temporary protection. Additionally, organizations should audit existing passkeys and invalidate any that were registered without proper authorization. Regular security assessments and penetration testing of self-hosted applications like MyTube are recommended to identify similar access control issues proactively.