CVE-2026-33735
Authorization Bypass in MyTube API Enables Full Application Compromise
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| franklioxygen | mytube | to 1.8.69 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33735 is an authorization bypass vulnerability in the MyTube application, specifically affecting the `/api/settings/import-database` endpoint and other POST routes prior to version 1.8.69.
The vulnerability arises because the authorization middleware used unsafe substring matching on request URLs to determine access permissions. Attackers with low-privilege credentials could append query parameters mimicking allowed public endpoints to restricted URLs, tricking the system into granting unauthorized write access.
This flaw allows an attacker to upload and replace the entire SQLite database of the application, effectively leading to a full compromise of the application.
The issue was fixed in version 1.8.69 by replacing unsafe substring matching with exact and prefix-based path matching on normalized request paths, enforcing strict allowlists for public and visitor-accessible endpoints, and blocking query parameter injection attempts.
How can this vulnerability impact me? :
This vulnerability allows an attacker with low-privilege visitor credentials to bypass authorization controls and upload a malicious SQLite database to the application.
By replacing the entire database, the attacker can modify or delete any data, including admin user credentials, resulting in a complete takeover of the MyTube application.
Such a full compromise can lead to loss of data integrity, unauthorized access to sensitive information, and disruption of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an authorization bypass in the `/api/settings/import-database` endpoint and other POST routes, allowing low-privilege users to upload and replace the application's SQLite database. Detection can focus on monitoring for unauthorized POST requests to this endpoint, especially those with suspicious query parameters mimicking allowed public endpoints.
Suggested detection commands include inspecting web server or application logs for POST requests to `/api/settings/import-database` or similar sensitive endpoints that include query parameters like `?t=/verify-password` or other attempts to bypass authorization.
- Use tools like `grep` or `awk` on access logs to find suspicious requests, for example: `grep 'POST /api/settings/import-database' /var/log/nginx/access.log | grep '\?t='`
- Monitor for unexpected database upload activity or large POST payloads to the `/api/settings/import-database` endpoint.
- Use network monitoring tools to detect unauthorized POST requests to sensitive API endpoints from low-privilege users.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade MyTube to version 1.8.69 or later, where the authorization bypass vulnerability has been fixed by replacing unsafe substring URL matching with exact and prefix-based path matching on normalized request paths.
Until the upgrade can be applied, immediate steps include restricting access to the `/api/settings/import-database` and other sensitive POST endpoints to trusted, high-privilege users only.
Additionally, monitor and block any requests that attempt to bypass authorization by appending query parameters mimicking public endpoints (e.g., requests with `?t=/verify-password` on sensitive routes).
Implement network-level controls such as firewall rules or API gateway policies to limit access to sensitive API endpoints.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a low-privileged attacker to fully compromise the MyTube application by uploading and replacing its entire SQLite database, including admin credentials and all stored data.
Such a full compromise can lead to unauthorized access, modification, or deletion of sensitive user data, which may include personal information protected under regulations like GDPR and HIPAA.
Therefore, this vulnerability poses a significant risk to compliance with data protection standards by potentially exposing or altering protected data without proper authorization.