CVE-2026-33935
Published: 27 March 2026
Summary
CVE-2026-33935 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Franklioxygen Mytube. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Access Removal (T1531); ranked in the top 26.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-7 mandates limits on unsuccessful logon attempts with scoped lockouts (e.g., per-user or per-IP), preventing global shared-state lockouts exploitable by unauthenticated attackers across public endpoints.
SC-5 requires denial-of-service protections that directly mitigate repeated invalid authentication requests incrementing shared cooldown timers to lock out legitimate users.
SC-14 enforces safeguards on publicly accessible authentication endpoints to protect against denial-of-service abuses like excessive failed login attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables sustained account lockouts via abuse of shared failed login state on public auth endpoints (T1531 Account Access Removal) and application-level DoS through exploitation of the improper auth attempt tracking (T1499.004 Application or System Exploitation).
NVD Description
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints,…
more
all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability.
Deeper analysisAI
CVE-2026-33935 is a denial-of-service vulnerability (CVSS 7.5, CWE-307) in MyTube, a self-hosted downloader and player for video websites, affecting versions prior to 1.8.72. The issue arises from three publicly accessible password verification endpoints that share a single file-backed login attempt state in `login-attempts.json`. Failed authentication attempts recorded by any endpoint via `recordFailedAttempt()` update this shared state, incrementing the `failedAttempts` counter and adjusting timestamps and cooldown values. Each endpoint calls `canAttemptLogin()` before password verification, which checks the shared JSON file; if a cooldown is active, the request is rejected, making lockouts apply globally across all endpoints.
An unauthenticated network attacker can exploit this by sending repeated invalid authentication requests to any of the endpoints, incrementing the shared counter and extending the cooldown period up to 24 hours. This locks administrator and visitor accounts out of password-based authentication, preventing legitimate logins. The attacker can sustain the denial of service indefinitely by waiting for the cooldown to expire and then triggering another failed attempt, which resets the maximum 24-hour lockout if no successful login occurs.
Mitigation requires upgrading to MyTube version 1.8.72, which addresses the shared state issue. The GitHub security advisory (GHSA-6w95-qgc4-5jxf) and patch commits (e.g., 4d89b146b16d08f27d8fd3e0a9122b109335deb1, 752bc7f0ac83df8c881e6b6d5dd6f36bb274ee58, dd7b4a611fcc5b25a569f379be9a503eb413b6aa) detail the fix, with changes centered in `backend/src/services/loginAttemptService.ts`.
Details
- CWE(s)