CVE-2026-24139
BaseFortify
Publication date: 2026-01-24
Last updated on: 2026-02-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| franklioxygen | mytube | to 1.7.78 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24139 is an authorization bypass vulnerability in the MyTube application (versions 1.7.78 and below). It occurs because the application does not properly check user permissions on the database export endpoint. This means that even guest or low-privileged users can download the entire application database, which contains sensitive information such as user credentials and application secrets. The root cause is missing authorization checks that should restrict this action to administrators only. [1]
How can this vulnerability impact me? :
This vulnerability can have a severe impact by allowing unauthorized users, including guests, to access and download the complete application database. This can lead to exposure of sensitive data such as user credentials and application secrets, potentially resulting in data breaches, unauthorized access to user accounts, and compromise of the application's security and integrity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the database export endpoint (/export-database) with a low-privileged or guest user account. For example, using a curl command with a valid authentication token for a guest user to see if the database can be downloaded. A sample command would be: curl -H "Authorization: Bearer <guest_token>" https://<mytube-server>/export-database If the request succeeds and returns the database, the system is vulnerable to this authorization bypass. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /export-database endpoint to only administrative users by enforcing strict role-based access control. Implement or verify middleware that blocks guest or visitor roles from accessing sensitive endpoints, returning HTTP 403 for unauthorized requests. Until a patched version is available, monitor and audit access logs for unauthorized export attempts and consider disabling the export feature if possible. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized guest users to download the complete application database, which may include sensitive data such as user credentials and application secrets. Such unauthorized access and potential data exfiltration could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information. Therefore, the vulnerability poses a risk to compliance by enabling exposure of sensitive data to unauthorized parties. [1]