CVE-2026-33735 Overview
CVE-2026-33735 is an authorization bypass vulnerability affecting MyTube, a self-hosted downloader and player for several video websites. Prior to version 1.8.69, the /api/settings/import-database endpoint contains a critical flaw that allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The authorization bypass is also relevant for other POST routes within the application.
Critical Impact
Attackers with low-privilege credentials can completely replace the SQLite database, enabling full application takeover including credential theft, data manipulation, and persistent backdoor access.
Affected Products
- Franklioxygen MyTube versions prior to 1.8.69
- MyTube self-hosted video downloader installations using role-based authentication middleware
- Deployments exposing the /api/settings/import-database endpoint to authenticated users
Discovery Timeline
- 2026-03-27 - CVE-2026-33735 published to NVD
- 2026-03-31 - Last updated in NVD database
Technical Details for CVE-2026-33735
Vulnerability Analysis
This authorization bypass vulnerability (CWE-285: Improper Authorization) stems from insufficient access control validation in MyTube's role-based settings middleware. The vulnerability allows low-privilege authenticated users to access administrative functionality that should be restricted to administrators only.
The core issue resides in the roleBasedSettingsMiddleware.ts file, which failed to properly validate user roles before permitting access to sensitive POST endpoints. The /api/settings/import-database endpoint is particularly dangerous because it allows complete database replacement—effectively giving an attacker the ability to overwrite all application data, including user credentials, configurations, and access controls.
An attacker exploiting this vulnerability could inject a malicious SQLite database containing their own administrative credentials, thereby achieving persistent access to the compromised MyTube instance. Since this is a self-hosted application, successful exploitation would give attackers control over the media server and potentially access to the underlying host system.
Root Cause
The root cause of CVE-2026-33735 lies in the inadequate path matching logic within the role-based authentication middleware. The vulnerable code in roleBasedSettingsMiddleware.ts failed to properly distinguish between public endpoints and protected administrative routes for POST requests.
The middleware did not maintain strict allowlists for different privilege levels, allowing requests to administrative endpoints like /api/settings/import-database to bypass authorization checks. The fix introduces explicit path allowlists using constant arrays (PUBLIC_EXACT_PATHS, PUBLIC_PREFIX_PATHS, VISITOR_ALLOWED_POST_EXACT_PATHS) that precisely define which endpoints are accessible to each privilege level.
Attack Vector
The attack vector is network-based, requiring only low-privilege credentials to exploit. An attacker with a visitor or low-privilege account on a MyTube instance can craft HTTP POST requests to the /api/settings/import-database endpoint with a malicious SQLite database payload. The lack of proper authorization checks allows the request to succeed, replacing the legitimate database with the attacker-controlled version.
The following code shows the security patch that addresses this vulnerability by implementing strict path matching:
import { NextFunction, Request, Response } from "express";
import { isLoginRequired } from "../services/passwordService";
import {
matchesExactPath,
matchesPathOrSubpath,
} from "../utils/requestPath";
const PUBLIC_EXACT_PATHS = [
"/verify-password",
"/verify-admin-password",
"/verify-visitor-password",
"/logout",
"/password-enabled",
"/reset-password-cooldown",
"/reset-password",
"/passkeys/exists",
] as const;
const PUBLIC_PREFIX_PATHS = [
"/passkeys/authenticate",
"/passkeys/register",
] as const;
const VISITOR_ALLOWED_GET_PATHS = [
"/",
"/cloudflared/status",
"/password-enabled",
"/reset-password-cooldown",
"/passkeys",
"/passkeys/exists",
Source: GitHub Commit b7bf9b796095
Detection Methods for CVE-2026-33735
Indicators of Compromise
- Unexpected POST requests to /api/settings/import-database from non-administrative user accounts
- Database file modifications with timestamps that don't align with administrative activity
- New or modified user accounts in the SQLite database, particularly accounts with elevated privileges
- Authentication logs showing successful access to settings endpoints by low-privilege users
Detection Strategies
- Monitor HTTP access logs for POST requests to /api/settings/import-database and correlate with user privilege levels
- Implement file integrity monitoring on the MyTube SQLite database file to detect unauthorized modifications
- Review application logs for authorization-related errors or unusual access patterns to administrative endpoints
- Deploy web application firewall (WAF) rules to alert on database import attempts from non-administrative sessions
Monitoring Recommendations
- Enable detailed access logging for all /api/settings/* endpoints with user role information
- Configure alerts for any database file changes outside of scheduled backup windows
- Monitor for multiple failed authentication attempts followed by successful access to administrative functions
- Implement anomaly detection for user privilege usage patterns within the MyTube application
How to Mitigate CVE-2026-33735
Immediate Actions Required
- Upgrade MyTube to version 1.8.69 or later immediately
- Audit existing database contents for unauthorized modifications or suspicious user accounts
- Review access logs for any evidence of exploitation prior to patching
- Reset all user credentials after patching if exploitation is suspected
Patch Information
The vulnerability has been fixed in MyTube version 1.8.69. The patch introduces proper path-based authorization checks using explicit allowlists in the role-based authentication middleware. The fix is available via GitHub Commit b7bf9b796095. Additional details are available in the GitHub Security Advisory GHSA-63cf-662x-crp2.
Workarounds
- Restrict network access to the MyTube instance to trusted IP addresses only until patching is possible
- Disable public registration and limit user accounts to administrators if the application cannot be immediately updated
- Deploy a reverse proxy with rules blocking POST requests to /api/settings/import-database from non-administrative users
- Consider taking the MyTube instance offline temporarily if sensitive data is at risk and immediate patching is not feasible
# Example: Block import-database endpoint at reverse proxy level (nginx)
location /api/settings/import-database {
# Only allow from trusted admin IPs
allow 192.168.1.100;
deny all;
proxy_pass http://mytube-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
