Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.9
MyTube: Unsecured Passkey Registration Allows Full Admin Access
CVE-2026-33890
Summary
If you're using MyTube version 1.8.70 or earlier, an attacker can create a special key that lets them take full control of your MyTube setup without needing a password. This is a big deal because it means an attacker could delete or change your settings, access your personal data, or even lock you out of your account. To stay safe, update MyTube to version 1.8.71 or later.
Original title
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it...
Original description
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. Version 1.8.71 fixes the issue.
nvd CVSS4.0
8.9
Vulnerability type
CWE-284
Improper Access Control
Published: 27 Mar 2026 · Updated: 27 Mar 2026 · First seen: 27 Mar 2026