Compliance Impact

The vulnerability allows a low-privileged attacker to fully compromise the MyTube application by uploading and replacing its entire SQLite database, including admin credentials and all stored data.

Such a full compromise can lead to unauthorized access, modification, or deletion of sensitive user data, which may include personal information protected under regulations like GDPR and HIPAA.

Therefore, this vulnerability poses a significant risk to compliance with data protection standards by potentially exposing or altering protected data without proper authorization.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-33735 is an authorization bypass vulnerability in the MyTube application, specifically affecting the `/api/settings/import-database` endpoint and other POST routes prior to version 1.8.69.

The vulnerability arises because the authorization middleware used unsafe substring matching on request URLs to determine access permissions. Attackers with low-privilege credentials could append query parameters mimicking allowed public endpoints to restricted URLs, tricking the system into granting unauthorized write access.

This flaw allows an attacker to upload and replace the entire SQLite database of the application, effectively leading to a full compromise of the application.

The issue was fixed in version 1.8.69 by replacing unsafe substring matching with exact and prefix-based path matching on normalized request paths, enforcing strict allowlists for public and visitor-accessible endpoints, and blocking query parameter injection attempts.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with low-privilege visitor credentials to bypass authorization controls and upload a malicious SQLite database to the application.

By replacing the entire database, the attacker can modify or delete any data, including admin user credentials, resulting in a complete takeover of the MyTube application.

Such a full compromise can lead to loss of data integrity, unauthorized access to sensitive information, and disruption of service.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an authorization bypass in the `/api/settings/import-database` endpoint and other POST routes, allowing low-privilege users to upload and replace the application's SQLite database. Detection can focus on monitoring for unauthorized POST requests to this endpoint, especially those with suspicious query parameters mimicking allowed public endpoints.

Suggested detection commands include inspecting web server or application logs for POST requests to `/api/settings/import-database` or similar sensitive endpoints that include query parameters like `?t=/verify-password` or other attempts to bypass authorization.

• Use tools like `grep` or `awk` on access logs to find suspicious requests, for example: `grep 'POST /api/settings/import-database' /var/log/nginx/access.log | grep '\?t='`
• Monitor for unexpected database upload activity or large POST payloads to the `/api/settings/import-database` endpoint.
• Use network monitoring tools to detect unauthorized POST requests to sensitive API endpoints from low-privilege users.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade MyTube to version 1.8.69 or later, where the authorization bypass vulnerability has been fixed by replacing unsafe substring URL matching with exact and prefix-based path matching on normalized request paths.

Until the upgrade can be applied, immediate steps include restricting access to the `/api/settings/import-database` and other sensitive POST endpoints to trusted, high-privilege users only.

Additionally, monitor and block any requests that attempt to bypass authorization by appending query parameters mimicking public endpoints (e.g., requests with `?t=/verify-password` on sensitive routes).

Implement network-level controls such as firewall rules or API gateway policies to limit access to sensitive API endpoints.

Useful 0 Not Useful 0