Cyber Resilience

CVE-2026-33735

HighPublic PoC

Published: 27 March 2026

Published
27 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 30.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33735 is a high-severity Improper Authorization (CWE-285) vulnerability in Franklioxygen Mytube. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-33735 is an authorization bypass vulnerability affecting MyTube, a self-hosted downloader and player for various video websites. In versions prior to 1.8.69, the flaw exists in the `/api/settings/import-database` endpoint, where attackers with low-privilege credentials can upload and entirely replace the application's SQLite database, resulting in full application compromise. The issue also impacts other POST routes due to the same bypass mechanism. It is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-285 (Improper Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key).

An attacker requires only low-privilege credentials to exploit this remotely over the network with low complexity and no user interaction. Successful exploitation allows complete replacement of the SQLite database, enabling arbitrary data manipulation, credential theft, or persistence mechanisms, effectively granting full control over the MyTube instance and any associated user data or configurations.

The GitHub security advisory (GHSA-63cf-662x-crp2) and fixing commit (b7bf9b7960958c6c51f85fe50a2fc041a086c466) confirm that upgrading to MyTube version 1.8.69 resolves the authorization checks in the affected middleware (roleBasedSettingsMiddleware.ts), preventing unauthorized database imports and similar POST operations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full…

more

compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Auth bypass in public-facing web app endpoint directly enables remote exploitation for privilege escalation from low-priv creds to full DB/app control (T1190 + T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33890Same product: Franklioxygen Mytube
CVE-2026-23837Same product: Franklioxygen Mytube
CVE-2026-33935Same product: Franklioxygen Mytube
CVE-2025-14996Shared CWE-639
CVE-2025-26683Shared CWE-285
CVE-2025-67165Shared CWE-639
CVE-2025-5947Shared CWE-639
CVE-2026-7399Shared CWE-639
CVE-2025-21611Shared CWE-285
CVE-2026-1619Shared CWE-639

Affected Assets

franklioxygen
mytube
≤ 1.8.69

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates enforcement of approved authorizations on API endpoints, directly preventing low-privilege users from bypassing checks to upload and replace the SQLite database.

prevent

Enforces least privilege to ensure low-privilege credentials cannot perform high-impact actions like full database replacement, addressing the core authorization bypass.

prevent

Restricts access to system changes such as database imports to authorized personnel, countering unauthorized replacement of the application's SQLite database.

References