CVE-2026-24139 Overview
CVE-2026-24139 is an authorization bypass vulnerability in MyTube, a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view.
Critical Impact
This authorization bypass vulnerability allows any visitor or low-privileged user to export the complete application database, potentially exposing all stored user data, credentials, and configuration information.
Affected Products
- MyTube versions 1.7.78 and below
Discovery Timeline
- 2026-01-24 - CVE CVE-2026-24139 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2026-24139
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization). The MyTube application exposes a database export endpoint that lacks proper authorization checks. While the application implements role-based access control for visitors (guest users), the middleware responsible for restricting access fails to properly filter sensitive endpoints like the database export functionality.
The flaw allows users with the "visitor" role to perform GET requests against the /export-database endpoint, which should be restricted to administrative users only. This results in complete database exfiltration, potentially exposing user credentials, video metadata, download history, and application configuration.
Root Cause
The root cause lies in the roleBasedSettingsMiddleware.ts file, where the application originally allowed all GET requests for visitor users without implementing an allowlist approach. The middleware would simply call next() for any GET request made by a visitor, bypassing authorization checks for sensitive endpoints that should be restricted to administrators.
Attack Vector
The attack vector is network-based and requires only low privileges (a visitor/guest account). An attacker can authenticate as a guest user and directly access the database export endpoint via an HTTP GET request. No user interaction is required, and the attack can be executed remotely against any exposed MyTube instance running a vulnerable version.
// Security patch from roleBasedSettingsMiddleware.ts
// Source: https://github.com/franklioxygen/MyTube/commit/e271775e27d51b26e54731b7b874447f47a1f280
if (req.user?.role === "visitor") {
// Allow GET requests (read-only)
if (req.method === "GET") {
- next();
+ // Define allowlist for visitor GET requests
+ // This strict allowlist prevents access to sensitive endpoints like /export-database
+ const visitorAllowedGetPaths = [
+ "/", // General settings
+ "/cloudflared/status",
+ "/password-enabled",
+ "/reset-password-cooldown",
+ "/passkeys",
+ "/passkeys/exists",
+ "/check-cookies",
+ "/hooks/status",
+ "/last-backup-info",
+ ];
+
+ // Check if the requested path is in the allowlist
+ // We check both exact match and if the path starts with allowed prefixes
+ // This handles potential sub-paths (though most here do not have them)
+ const isAllowed = visitorAllowedGetPaths.some(
+ (allowedPath) =>
+ req.path === allowedPath ||
+ req.url === allowedPath ||
+ req.path.startsWith(`${allowedPath}/`) ||
+ req.url.startsWith(`${allowedPath}/`)
+ );
+
+ if (isAllowed) {
Source: GitHub Commit Update
Detection Methods for CVE-2026-24139
Indicators of Compromise
- Unexpected GET requests to /export-database or similar database export endpoints from non-administrator accounts
- Large data transfers originating from the MyTube application server
- Access logs showing visitor or guest accounts accessing restricted administrative endpoints
- Unusual database file downloads or exports not initiated by known administrators
Detection Strategies
- Monitor application logs for unauthorized access attempts to the /export-database endpoint
- Implement alerting for any visitor-role user attempting to access administrative functions
- Review web server access logs for patterns indicating endpoint enumeration or authorization testing
- Deploy web application firewall (WAF) rules to flag requests to sensitive export endpoints from low-privileged sessions
Monitoring Recommendations
- Enable detailed access logging for all MyTube administrative endpoints
- Set up real-time alerting for database export operations performed by non-admin users
- Monitor for abnormal data egress patterns from the MyTube server
- Regularly audit user access logs to identify potential exploitation attempts
How to Mitigate CVE-2026-24139
Immediate Actions Required
- Update MyTube to a version above 1.7.78 that includes the security patch
- Restrict network access to MyTube instances to trusted users only until patching is complete
- Review access logs for any evidence of prior exploitation
- Rotate any credentials or sensitive data that may have been stored in the database
Patch Information
The vulnerability has been addressed in the commit e271775e27d51b26e54731b7b874447f47a1f280. This patch implements a strict allowlist approach for visitor GET requests, explicitly defining which endpoints visitors are permitted to access. The /export-database endpoint is no longer accessible to visitor-role users.
For detailed patch information, refer to:
Workarounds
- Disable guest/visitor access entirely until the patch can be applied
- Implement network-level access controls to restrict who can reach the MyTube instance
- Use a reverse proxy to block access to /export-database and other sensitive endpoints for non-authenticated or low-privilege users
- Monitor and alert on any access attempts to database export functionality
# Example nginx configuration to block sensitive endpoints for non-admin users
# Add to your MyTube reverse proxy configuration
location /export-database {
# Block all access to database export endpoint at proxy level
# This is a temporary workaround until patching is complete
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
