HIGHCVE-2026-33890Published 2026-03-27Modified 2026-03-27CNA GitHub_M

CVE-2026-33890: MyTube has an Unauthenticated Admin Privilege Escalation via Passkey Registration

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. Version 1.8.71 fixes the issue.

CVSS v4.0: 8.9
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

franklioxygen / MyTube
< 1.8.71

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

https://github.com/franklioxygen/MyTube/security/advisories/GHSA-378w-xh68-qrc8
https://github.com/franklioxygen/MyTube/commit/d6c1275a7ff7ffd3d51b53c333237f4d572580ac

Metrics