CVE-2026-33735
Published: 27 March 2026
Summary
CVE-2026-33735 is a high-severity Improper Authorization (CWE-285) vulnerability in Franklioxygen Mytube. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates enforcement of approved authorizations on API endpoints, directly preventing low-privilege users from bypassing checks to upload and replace the SQLite database.
Enforces least privilege to ensure low-privilege credentials cannot perform high-impact actions like full database replacement, addressing the core authorization bypass.
Restricts access to system changes such as database imports to authorized personnel, countering unauthorized replacement of the application's SQLite database.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in public-facing web app endpoint directly enables remote exploitation for privilege escalation from low-priv creds to full DB/app control (T1190 + T1068).
NVD Description
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full…
more
compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue.
Deeper analysisAI
CVE-2026-33735 is an authorization bypass vulnerability affecting MyTube, a self-hosted downloader and player for various video websites. In versions prior to 1.8.69, the flaw exists in the `/api/settings/import-database` endpoint, where attackers with low-privilege credentials can upload and entirely replace the application's SQLite database, resulting in full application compromise. The issue also impacts other POST routes due to the same bypass mechanism. It is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-285 (Improper Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key).
An attacker requires only low-privilege credentials to exploit this remotely over the network with low complexity and no user interaction. Successful exploitation allows complete replacement of the SQLite database, enabling arbitrary data manipulation, credential theft, or persistence mechanisms, effectively granting full control over the MyTube instance and any associated user data or configurations.
The GitHub security advisory (GHSA-63cf-662x-crp2) and fixing commit (b7bf9b7960958c6c51f85fe50a2fc041a086c466) confirm that upgrading to MyTube version 1.8.69 resolves the authorization checks in the affected middleware (roleBasedSettingsMiddleware.ts), preventing unauthorized database imports and similar POST operations.
Details
- CWE(s)