CVE-2026-23848
Unknown Unknown - Not Provided
Rate Limiting Bypass via X-Forwarded-For in MyTube API

Publication date: 2026-01-19

Last updated on: 2026-01-19

Assigner: GitHub, Inc.

Description
MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating the `X-Forwarded-For` header, enabling unlimited requests to protected endpoints, including general API endpoints (enabling DoS) and other rate-limited functionality. Version 1.7.71 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-01-19
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23848
EUVD
EUVD-2026-3288
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
franklioxygen mytube to 1.7.71 (exc)
franklioxygen mytube From 1.0.0 (inc) to 1.7.71 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in MyTube (versions prior to 1.7.71) allows unauthenticated attackers to bypass IP-based rate limiting by spoofing the X-Forwarded-For header. The application trusts this header to identify client IPs for rate limiting, but attackers can manipulate it to appear as different IP addresses, enabling them to make unlimited requests to protected API endpoints. This bypass can lead to denial of service (DoS) attacks and abuse of resource-intensive operations. [1]

Impact Analysis

The vulnerability can impact you by allowing attackers to circumvent rate limits on MyTube's API endpoints, resulting in potential denial of service (DoS) attacks. Attackers can send unlimited requests by spoofing IP addresses, which may degrade service availability, exhaust resources, and bypass intended usage restrictions, potentially disrupting normal operations. [1]

Detection Guidance

You can detect this vulnerability by monitoring for unusual patterns of requests with varying X-Forwarded-For header values that exceed normal rate limits. A proof-of-concept involves sending POST requests with spoofed X-Forwarded-For headers to endpoints such as /api/settings/verify-admin-password to test if rate limiting is bypassed. On your system, you can use tools like curl or HTTP clients to send multiple requests with different X-Forwarded-For headers and observe if the rate limiting is enforced. For example, using curl commands: curl -X POST https://your-mytube-instance/api/settings/verify-admin-password -H "X-Forwarded-For: 1.2.3.4" curl -X POST https://your-mytube-instance/api/settings/verify-admin-password -H "X-Forwarded-For: 1.2.3.5" If these requests are not rate limited, your system is vulnerable. [1]

Mitigation Strategies

The immediate mitigation is to upgrade MyTube to version 1.7.71 or later, where the vulnerability is patched. The patch includes a refactor of IP extraction and validation logic to prioritize the non-spoofable socket IP address over the X-Forwarded-For header, validating IP addresses, and only trusting X-Forwarded-For when behind a trusted proxy. If upgrading is not immediately possible, consider disabling trust proxy settings or implementing custom IP validation to prevent spoofing of the X-Forwarded-For header. Monitoring and blocking suspicious requests with spoofed IP headers can also help mitigate attacks until the patch is applied. [1, 2]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23848. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart