CVE-2026-33935 Overview
CVE-2026-33935 is a Denial of Service vulnerability affecting MyTube, a self-hosted downloader and player for video websites. The vulnerability exists in versions prior to 1.8.72 and allows unauthenticated attackers to lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints that are publicly accessible and share a single file-backed login attempt state, enabling attackers to progressively increase lockout durations until reaching a 24-hour maximum that can be maintained indefinitely.
Critical Impact
Unauthenticated attackers can completely deny legitimate users access to the MyTube application by manipulating the shared login attempt counter across all authentication endpoints, effectively creating a permanent denial of service condition.
Affected Products
- Franklioxygen MyTube versions prior to 1.8.72
- Self-hosted MyTube instances with password authentication enabled
- All three password verification endpoints sharing login-attempts.json state
Discovery Timeline
- 2026-03-27 - CVE-2026-33935 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-33935
Vulnerability Analysis
This vulnerability represents a classic Improper Restriction of Excessive Authentication Attempts (CWE-307) flaw in the MyTube application's login handling mechanism. The core issue stems from a flawed architectural decision where all three password verification endpoints share a single global state for tracking failed login attempts.
The application stores authentication attempt data in a file called login-attempts.json, which maintains a failedAttempts counter along with associated timestamps and cooldown values. When any of the three publicly accessible endpoints records a failed authentication attempt via the recordFailedAttempt() function, this shared state is updated globally rather than on a per-user or per-endpoint basis.
Before validating any password, each endpoint invokes canAttemptLogin(), which checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before any password validation occurs. This creates a scenario where an attacker can affect the authentication availability for all users by targeting any single endpoint.
Root Cause
The root cause of this vulnerability lies in the design of the login attempt tracking system within the loginAttemptService.ts file. The implementation uses a globally shared file-backed state (login-attempts.json) across all authentication endpoints without any form of per-user, per-IP, or per-session isolation. This architectural flaw means that failed authentication attempts from any source against any endpoint will increment a single counter that affects all subsequent authentication requests.
The absence of proper rate limiting isolation allows an attacker to weaponize the built-in lockout mechanism against legitimate users. The progressive cooldown system, which was intended as a security feature to prevent brute-force attacks, becomes the attack vector itself.
Attack Vector
The attack leverages the network-accessible password verification endpoints to trigger the shared lockout mechanism. An attacker can exploit this vulnerability through the following process:
- The attacker sends invalid authentication requests to any of the three publicly accessible password verification endpoints
- Each failed attempt triggers recordFailedAttempt(), incrementing the shared counter in login-attempts.json
- The attacker waits for the cooldown period to expire between attempts
- By progressively increasing the failedAttempts counter, the lockout duration escalates until reaching the maximum of 24 hours
- Once the maximum lockout is reached, the attacker maintains the denial of service by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime
This attack requires no authentication and can be performed entirely over the network, making it trivial to execute against any exposed MyTube instance. The vulnerability can be found in the loginAttemptService.ts source code.
Detection Methods for CVE-2026-33935
Indicators of Compromise
- Unusual volume of failed authentication requests from single or distributed IP addresses
- Frequent modifications to the login-attempts.json file with escalating failedAttempts counter values
- Legitimate administrators and users reporting inability to authenticate despite using correct credentials
- HTTP 429 or authentication lockout responses occurring when no legitimate login attempts were made
Detection Strategies
- Monitor web server access logs for repeated requests to password verification endpoints from external IPs
- Implement alerting on rapid increases in the failedAttempts counter within login-attempts.json
- Set up anomaly detection for authentication endpoint traffic patterns that deviate from baseline user behavior
- Configure intrusion detection systems to flag sequential failed authentication attempts with timing patterns matching cooldown intervals
Monitoring Recommendations
- Deploy network-level monitoring to track authentication endpoint request rates and source IP diversity
- Implement file integrity monitoring on login-attempts.json to detect unauthorized modifications
- Create dashboards tracking authentication success/failure ratios and lockout trigger frequencies
- Establish baseline metrics for normal authentication patterns to identify anomalous lockout-inducing activity
How to Mitigate CVE-2026-33935
Immediate Actions Required
- Upgrade MyTube to version 1.8.72 or later immediately to address this vulnerability
- Review authentication logs for evidence of exploitation attempts prior to patching
- Consider temporarily implementing IP-based access controls on authentication endpoints if immediate upgrade is not possible
- Notify users if authentication lockouts occurred that may have been exploitation-related
Patch Information
Version 1.8.72 of MyTube addresses this vulnerability. The fix has been implemented through multiple commits available in the GitHub Security Advisory. The relevant patches include:
Organizations should update to version 1.8.72 or later as soon as possible.
Workarounds
- Place a reverse proxy with rate limiting in front of the MyTube application to limit authentication requests per IP
- Implement firewall rules to restrict access to authentication endpoints to known trusted networks
- Configure web application firewall (WAF) rules to detect and block repeated failed authentication patterns
- Consider temporarily disabling public access to the application until the patch can be applied
# Example nginx rate limiting configuration for authentication endpoints
# Add to nginx server block to limit authentication requests
limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=5r/m;
location ~ ^/(api/auth|login|verify) {
limit_req zone=auth_limit burst=3 nodelay;
proxy_pass http://mytube_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
