CVE-2026-24140 Overview
CVE-2026-24140 is a Mass Assignment vulnerability affecting MyTube, a self-hosted downloader and player for several video websites. The vulnerability exists in the settings management functionality due to insufficient input validation, allowing attackers to persist arbitrary key-value pairs to the database without proper authorization checks.
Critical Impact
Authenticated attackers with high privileges can modify arbitrary application settings by exploiting insufficient input validation in the saveSettings() function.
Affected Products
- MyTube versions 1.7.78 and below
Discovery Timeline
- 2026-01-24 - CVE-2026-24140 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2026-24140
Vulnerability Analysis
This Mass Assignment vulnerability (CWE-915) stems from improper control of dynamically-managed code resources in the MyTube application. The saveSettings() function accepts arbitrary key-value pairs without validating property names against a list of allowed settings. When processing user input, the function uses Record<string, any> as its input type and iterates over all entries using Object.entries() without filtering unauthorized properties. This design flaw allows any field sent by an attacker to be directly persisted to the database, regardless of whether it corresponds to a legitimate application setting.
The vulnerability requires network access and high privileges to exploit, but once exploited, it allows unauthorized modification of application integrity. The attack does not require user interaction and has no impact on confidentiality or availability, but does compromise the integrity of the application's configuration.
Root Cause
The root cause is the lack of input validation and property allowlisting in the settings management functionality. The application fails to implement proper controls to ensure that only legitimate setting properties can be modified through the saveSettings() function. By accepting a generic Record<string, any> type and iterating through all provided entries without verification, the function allows attackers to inject arbitrary configuration values into the database.
Attack Vector
The attack vector is network-based and requires authenticated access with high privileges. An attacker with elevated permissions can craft malicious requests to the settings endpoint containing unauthorized property names and values. Since the saveSettings() function processes all submitted key-value pairs without validation, these arbitrary properties are persisted directly to the database. This could allow an attacker to:
- Override internal application settings not intended for user modification
- Inject new configuration values that alter application behavior
- Potentially escalate privileges or modify security-related settings
The vulnerability is exploited by sending HTTP requests to the settings management endpoint with additional fields beyond the expected legitimate settings parameters.
Detection Methods for CVE-2026-24140
Indicators of Compromise
- Unexpected or unauthorized settings values appearing in the application database
- Unusual HTTP POST requests to settings endpoints containing non-standard parameter names
- Changes to application behavior that cannot be attributed to legitimate configuration changes
- Database entries for settings that do not correspond to known application settings
Detection Strategies
- Monitor and log all requests to the settings management endpoint, paying attention to parameter names
- Implement allowlist validation on incoming settings requests to flag unexpected properties
- Review application logs for settings modifications that include unknown property names
- Deploy web application firewall (WAF) rules to detect requests with excessive or unexpected parameters
Monitoring Recommendations
- Enable detailed request logging for all administrative endpoints
- Set up alerts for database modifications to settings tables that include non-standard columns or values
- Regularly audit the settings table for unexpected entries or values
- Monitor for privilege escalation attempts that may follow successful exploitation
How to Mitigate CVE-2026-24140
Immediate Actions Required
- Upgrade MyTube to version 1.7.78 or later, which contains the fix for this vulnerability
- Review your application's settings table for any unexpected or unauthorized entries
- Restrict access to administrative settings endpoints to only trusted users
- Implement additional input validation at the network perimeter using WAF rules
Patch Information
The vulnerability has been fixed in MyTube version 1.7.78. The fix is available in commit 9d737cb373f7af3e5c92d458e2832caf817b6de6. Organizations should update to this version or later immediately. For detailed information about the fix, refer to the GitHub Commit Details and the GitHub Security Advisory.
Workarounds
- Implement a Web Application Firewall (WAF) rule to filter requests containing unexpected parameter names in settings endpoints
- Apply network-level access controls to restrict settings endpoint access to trusted IP addresses only
- Temporarily disable the settings management functionality if not critical to operations until patching is complete
- Enable additional authentication requirements for settings modification operations
# Example: Restrict access to settings endpoints via nginx
location /api/settings {
# Only allow access from trusted admin IPs
allow 10.0.0.0/8;
allow 192.168.1.0/24;
deny all;
# Proxy to application
proxy_pass http://mytube_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
