CVE-2026-33890
MyTube has an Unauthenticated Admin Privilege Escalation via Passkey Registration
CVSS Score
0.0
EPSS Score
0.1%
EPSS Percentile
28th
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. Version 1.8.71 fixes the issue.
| CWE | CWE-284 |
| Vendor | franklioxygen |
| Product | mytube |
| Published | Mar 27, 2026 |
| Last Updated | Mar 27, 2026 |
Stay Ahead of the Next One
Get instant alerts for franklioxygen mytube
Be the first to know when new unknown vulnerabilities affecting franklioxygen mytube are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
franklioxygen / MyTube
< 1.8.71