CVE-2026-23837
Authentication Bypass in MyTube roleBasedAuthMiddleware Allows Unauthorized Access
Publication date: 2026-01-19
Last updated on: 2026-01-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| franklioxygen | mytube | to 1.7.65 (inc) |
| franklioxygen | mytube | From 1.7.64 (inc) |
| franklioxygen | mytube | 1.7.66 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized users to bypass authentication and gain access to protected routes, including the ability to modify application settings and change administrative passwords. Such unauthorized access can lead to breaches of confidentiality, integrity, and availability of sensitive data, which may result in non-compliance with common standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal and sensitive information. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows attackers to bypass authentication and gain unauthorized access to protected parts of the MyTube application. Attackers can modify application settings, change administrative and visitor passwords, and access other sensitive routes that should be protected. This can lead to full compromise of the application, loss of data confidentiality, integrity, and availability, potentially allowing attackers to control or disrupt the service. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by attempting to access protected endpoints such as /api/settings without providing an authentication cookie. For example, using curl to send a request without authentication: curl -i http://<your-mytube-instance>/api/settings If the response is successful (not a 401 Unauthorized), your instance is likely vulnerable. Additionally, monitoring logs for requests to /api/settings or other protected routes that do not have valid authentication cookies can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading MyTube to at least version 1.7.64 or preferably 1.7.66 where the vulnerability is patched. If upgrading is not immediately possible, restrict network access to /api/ endpoints using a firewall or reverse proxy (e.g., Nginx) to allow only trusted IP addresses. Alternatively, if comfortable with source code changes, manually patch the roleBasedAuthMiddleware to return a 401 Unauthorized error when req.user is undefined instead of allowing the request to proceed. [1]
Can you explain this vulnerability to me?
CVE-2026-23837 is a critical authorization bypass vulnerability in the MyTube application (versions up to 1.7.65) when login is enabled. The flaw exists in the roleBasedAuthMiddleware, which incorrectly allows unauthenticated users (those without an authentication cookie, making req.user undefined) to bypass mandatory authentication checks. This means attackers can access protected routes and sensitive functions without logging in, including modifying application settings, changing admin and visitor passwords, and accessing other restricted endpoints. The issue is fixed in version 1.7.66 by explicitly blocking unauthenticated requests with a 401 Unauthorized error. [1]