MyTube is a self-hosted video downloader and player that supports multiple video websites. Prior to version 1.8.72, it contains a vulnerability (CVE-2026-33935) classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts). The application exposes three distinct password verification endpoints, all publicly accessible and sharing a single login attempt state stored in a file named 'login-attempts.json'. This shared state tracks failed login attempts, timestamps, and cooldown periods. When a failed login occurs on any endpoint, the shared counter increments and the cooldown timer is adjusted. Before any password verification, the system checks if the cooldown period is active; if so, it rejects the attempt outright. Because the failed attempt counter and cooldown are global across all endpoints, an attacker can send repeated invalid authentication requests to any endpoint, causing the failed attempts counter to increase and the cooldown lockout duration to escalate progressively, up to a maximum of 24 hours. Once this maximum lockout is reached, the attacker can maintain a persistent denial of service by sending a failed attempt after each cooldown expires, immediately triggering another 24-hour lockout if no successful login occurs. This effectively locks out all legitimate users, including administrators and visitors, from password-based authentication. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The issue was addressed and fixed in MyTube version 1.8.72.

This vulnerability can cause a denial of service by locking out all users from authenticating via password, severely impacting availability of the MyTube service. Organizations relying on MyTube for video downloading and playback may experience complete loss of access for administrators and users, disrupting operations and potentially causing service outages. The inability to authenticate could delay incident response or administrative actions, increasing operational risk. Since the vulnerability is exploitable remotely without authentication or user interaction, it can be triggered by any attacker with network access to the service. Although it does not directly compromise confidentiality or integrity, the denial of service impact is significant, especially for environments where MyTube is critical. The shared login attempt state design flaw allows a single attacker to affect all authentication endpoints simultaneously, amplifying the impact. The lack of known exploits in the wild reduces immediate risk, but the high CVSS score (7.7) and ease of exploitation indicate a serious threat if unpatched.

Upgrade MyTube to version 1.8.72 or later, where this vulnerability is fixed. If upgrading immediately is not possible, implement network-level protections such as rate limiting and IP-based throttling on all authentication endpoints to limit the number of failed login attempts from a single source. Consider isolating or disabling unused authentication endpoints to reduce the attack surface. Monitor login attempt logs for unusual spikes in failed authentications that could indicate exploitation attempts. Implement additional authentication mechanisms such as multi-factor authentication (MFA) to reduce reliance on password-based authentication alone. If feasible, modify the application to separate login attempt tracking per endpoint or per user to prevent global lockouts. Employ web application firewalls (WAFs) with rules to detect and block brute force or repeated failed login attempts targeting MyTube endpoints. Regularly audit and review authentication mechanisms and their rate limiting policies to ensure they are robust against denial of service attacks.