A critical authentication bypass vulnerability exists in the MyTube self-hosted downloader and player. This flaw allows an unauthenticated attacker to gain complete administrative control over the application by simply sending a request without an authentication cookie. Successful exploitation could lead to unauthorized access and modification of application settings, password changes for all users, and full access to protected functions.

The vulnerability lies within the roleBasedAuthMiddleware component, which is responsible for authenticating and authorizing user requests. When a request is made without an authentication cookie, the req.user object is undefined. Instead of rejecting the request as unauthorized, the flawed middleware incorrectly proceeds by calling next(), thereby granting the unauthenticated request access to protected downstream API endpoints. An attacker can exploit this by sending crafted requests to sensitive routes, such as /api/settings, to view and modify configurations, change administrative passwords, and access any other functionality protected by this middleware.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant and immediate risk to the organization. Exploitation allows a remote, unauthenticated attacker to completely compromise the MyTube application instance. The potential consequences include loss of confidentiality through access to application data, loss of integrity through unauthorized modification of settings and user accounts, and loss of availability by locking out legitimate administrators and users. This could lead to operational disruption, data breaches, and reputational damage.

Immediate Action: Upgrade all instances of MyTube to the patched version v1.7.66 or later. After upgrading, monitor application and web server logs for any signs of exploitation attempts that may have occurred prior to the patch.

Proactive Monitoring: Security teams should actively monitor web server access logs for any unauthenticated requests targeting protected API endpoints, particularly /api/settings. Monitor for anomalous or unauthorized changes to application configurations, user accounts, or passwords. An increase in requests resulting in 401 or 403 status codes against API endpoints could also indicate scanning or exploitation attempts.

Compensating Controls: If immediate patching is not feasible, apply one of the following mitigations:

• Network Segmentation: Use a firewall or reverse proxy (e.g., Nginx) to restrict all access to the /api/ path to trusted IP addresses only.
• Manual Patching: For users comfortable with modifying source code, locate the roleBasedAuthMiddleware function and add a condition to explicitly reject requests and return a 401 Unauthorized error when req.user is undefined, before the next() function is called.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the ease of exploitation, this vulnerability presents a severe risk. We strongly recommend that all affected MyTube instances be upgraded to version 1.7.66 or later with the highest priority. If patching cannot be performed immediately, the compensating controls outlined above must be implemented without delay to reduce the attack surface. Although this CVE is not currently on the CISA KEV list, its critical nature makes it a prime candidate for future inclusion and an attractive target for threat actors.