CVE-2026-33890
Received Received - Intake
Unauthenticated Passkey Registration Leads to Admin Takeover in MyTube

Publication date: 2026-03-27

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. Version 1.8.71 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33890
EUVD
EUVD-2026-16519
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
franklioxygen mytube to 1.8.71 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33890 is a critical vulnerability in the MyTube application (versions prior to 1.8.71) that allows an unauthenticated attacker to gain full administrative access. The issue arises because the application exposes passkey registration and authentication endpoints without requiring any prior authentication.

An attacker can register an arbitrary passkey by interacting with these endpoints, then authenticate using that passkey. Upon successful authentication, the backend automatically grants an administrator token, giving the attacker full admin privileges.

This means an attacker can completely compromise the application without needing any existing credentials.

Impact Analysis

This vulnerability allows any unauthenticated user to escalate their privileges to full administrator level within the MyTube application.

  • Complete compromise of the application.
  • Ability to access and modify the entire database.
  • Retrieve all application data.
  • Lock out legitimate administrators.

Overall, this leads to a total loss of control and security over the application.

Detection Guidance

This vulnerability can be detected by monitoring and testing the exposed WebAuthn passkey registration and authentication endpoints that do not require prior authentication. Specifically, the endpoints to check are: /api/settings/passkeys/register, /api/settings/passkeys/register/verify, /api/settings/passkeys/authenticate, and /api/settings/passkeys/authenticate/verify.

A practical approach is to attempt to register a passkey without authentication and then authenticate with it to see if an administrator token is issued. This can be done using HTTP request tools such as curl or scripting with Python using packages like requests, cbor2, and cryptography as demonstrated in the available proof-of-concept exploit.

  • Use curl commands to test the registration endpoint, for example: curl -X POST http://localhost:5551/api/settings/passkeys/register
  • Attempt to verify the registration with: curl -X POST http://localhost:5551/api/settings/passkeys/register/verify
  • Try authenticating with the registered passkey at: curl -X POST http://localhost:5551/api/settings/passkeys/authenticate
  • Verify authentication with: curl -X POST http://localhost:5551/api/settings/passkeys/authenticate/verify

If these requests succeed without prior authentication and result in an administrator token, the system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade the MyTube application to version 1.8.71 or later, where the vulnerability is fixed.

The fix enforces strict admin-only authorization for passkey registration and verification endpoints, preventing unauthenticated users from registering or authenticating passkeys.

  • Ensure that the passkey registration and verification endpoints require authentication and that only users with the admin role can access them.
  • Apply rate limiting on the /api/settings/passkeys/register endpoint to prevent abuse.
  • Remove any public access paths to passkey registration endpoints from authentication middleware configurations.

If upgrading immediately is not possible, restrict network access to these endpoints to trusted administrators only and monitor for suspicious activity targeting these endpoints.

Compliance Impact

This vulnerability allows an unauthenticated attacker to gain full administrative access to the MyTube application, enabling complete compromise of the application, including access to and modification of the entire database and all application data.

Such a total compromise can lead to unauthorized access, disclosure, or alteration of sensitive personal or protected health information stored within the application, which would violate data protection requirements under common standards and regulations like GDPR and HIPAA.

Therefore, the vulnerability significantly undermines compliance with these regulations by failing to protect sensitive data from unauthorized administrative access and potential data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33890. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart