CVE-2026-33890
Published: 27 March 2026
Summary
CVE-2026-33890 is a critical-severity Improper Access Control (CWE-284) vulnerability in Franklioxygen Mytube. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses permitting passkey registration without identification or authentication by requiring explicit authorization and documentation of such actions.
Requires identity verification prior to issuing authenticators like passkeys, preventing unauthenticated self-registration of arbitrary credentials.
Enforces approved access authorizations on endpoints to block unauthenticated access to passkey registration and subsequent admin token issuance.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote exploitation of a public-facing web application (MyTube) to register a passkey and obtain full administrator access, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints…
more
without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. Version 1.8.71 fixes the issue.
Deeper analysisAI
CVE-2026-33890 affects MyTube, a self-hosted downloader and player for several video websites, in versions prior to 1.8.71. The vulnerability stems from exposed passkey registration endpoints that do not require prior authentication, allowing an unauthenticated attacker to register an arbitrary passkey. Upon successful authentication with this passkey, the application automatically grants a full administrator token, enabling complete administrative access without needing any existing credentials. This issue is classified under CWE-284 (Improper Access Control) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction. By simply accessing the public passkey registration endpoint, the attacker creates a custom passkey, authenticates with it, and obtains an admin session token. This grants full control over the MyTube instance, including potential data exfiltration, modification of application settings, or execution of arbitrary actions, leading to a total compromise of the affected system.
The GitHub security advisory (GHSA-378w-xh68-qrc8) and the fixing commit (d6c1275a7ff7ffd3d51b53c333237f4d572580ac) confirm that upgrading to MyTube version 1.8.71 resolves the issue by addressing the unauthenticated passkey registration and automatic admin token granting. Security practitioners should immediately patch affected instances and review access logs for unauthorized admin sessions.
Details
- CWE(s)