MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions a...
Description
MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication cookie (making req.user undefined), a request is incorrectly passed through to downstream handlers. All users running MyTube with loginEnabled: true are impacted. This flaw allows an attacker to access and modify application settings via /api/settings, change administrative and visitor passwords, and access other protected routes that rely on this specific middleware. The problem is patched in v1.7.66. MyTube maintainers recommend all users upgrade to at least version v1.7.64 immediately to secure their instances. The fix ensures that the middleware explicitly blocks requests if a user is not authenticated, rather than defaulting to next(). Those who cannot upgrade immediately can mitigate risk by restricting network access by usi a firewall or reverse proxy (like Nginx) to restrict access to the /api/ endpoints to trusted IP addresses only or, if they are comfortable editing the source code, manually patch by locating roleBasedAuthMiddleware and ensuring that the logic defaults to an error (401 Unauthorized) when req.user is undefined, instead of calling next().
AI Analyst Comment
Remediation
Update MyTube is a Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Executive Summary:
A critical authentication bypass vulnerability exists in the MyTube self-hosted downloader and player. This flaw allows an unauthenticated attacker to gain complete administrative control over the application by simply sending a request without an authentication cookie. Successful exploitation could lead to unauthorized access and modification of application settings, password changes for all users, and full access to protected functions.
Vulnerability Details
CVE-ID: CVE-2026-23837
Affected Software: MyTube is a Multiple Products
Affected Versions: Version 1.7.65 and earlier
Vulnerability: The vulnerability lies within the
roleBasedAuthMiddlewarecomponent, which is responsible for authenticating and authorizing user requests. When a request is made without an authentication cookie, thereq.userobject isundefined. Instead of rejecting the request as unauthorized, the flawed middleware incorrectly proceeds by callingnext(), thereby granting the unauthenticated request access to protected downstream API endpoints. An attacker can exploit this by sending crafted requests to sensitive routes, such as/api/settings, to view and modify configurations, change administrative passwords, and access any other functionality protected by this middleware.Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant and immediate risk to the organization. Exploitation allows a remote, unauthenticated attacker to completely compromise the MyTube application instance. The potential consequences include loss of confidentiality through access to application data, loss of integrity through unauthorized modification of settings and user accounts, and loss of availability by locking out legitimate administrators and users. This could lead to operational disruption, data breaches, and reputational damage.
Remediation Plan
Immediate Action: Upgrade all instances of MyTube to the patched version v1.7.66 or later. After upgrading, monitor application and web server logs for any signs of exploitation attempts that may have occurred prior to the patch.
Proactive Monitoring: Security teams should actively monitor web server access logs for any unauthenticated requests targeting protected API endpoints, particularly
/api/settings. Monitor for anomalous or unauthorized changes to application configurations, user accounts, or passwords. An increase in requests resulting in 401 or 403 status codes against API endpoints could also indicate scanning or exploitation attempts.Compensating Controls: If immediate patching is not feasible, apply one of the following mitigations:
/api/path to trusted IP addresses only.roleBasedAuthMiddlewarefunction and add a condition to explicitly reject requests and return a 401 Unauthorized error whenreq.useris undefined, before thenext()function is called.Exploitation Status
Public Exploit Available: false
Analyst Notes: As of January 19, 2026, there is no known public exploit code available for this vulnerability. However, due to the simplicity of the authentication bypass, it is highly likely that proof-of-concept exploits will be developed and published quickly. Organizations should assume that attackers will soon be able to exploit this flaw.
Analyst Recommendation
Given the critical CVSS score of 9.8 and the ease of exploitation, this vulnerability presents a severe risk. We strongly recommend that all affected MyTube instances be upgraded to version 1.7.66 or later with the highest priority. If patching cannot be performed immediately, the compensating controls outlined above must be implemented without delay to reduce the attack surface. Although this CVE is not currently on the CISA KEV list, its critical nature makes it a prime candidate for future inclusion and an attractive target for threat actors.