CVE-2026-23837
📋 TL;DR
CVE-2026-23837 is an authentication bypass vulnerability in MyTube that allows unauthenticated attackers to access protected administrative functions. All users running MyTube with loginEnabled: true are affected, enabling attackers to change passwords, modify settings, and access other protected routes. The vulnerability exists in the roleBasedAuthMiddleware which incorrectly passes requests through when authentication cookies are missing.
💻 Affected Systems
- MyTube
📦 What is this software?
Mytube by Franklioxygen
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the MyTube instance: attackers can change administrative passwords, modify all application settings, and potentially gain full control over the self-hosted service.
Likely Case
Unauthorized access to administrative functions leading to configuration changes, password resets, and potential data exposure from protected routes.
If Mitigated
Limited impact if network access controls restrict API endpoints to trusted IPs, though the vulnerability remains present in the application.
🎯 Exploit Status
Exploitation requires no authentication and minimal technical skill - simply omitting authentication cookies triggers the bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.7.66
Vendor Advisory: https://github.com/franklioxygen/MyTube/security/advisories/GHSA-cmvj-g69f-8664
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Stop MyTube service. 3. Update to v1.7.66 or later via package manager or manual download. 4. Restart MyTube service. 5. Verify authentication is working correctly.
🔧 Temporary Workarounds
Network Access Restriction
allUse firewall or reverse proxy to restrict access to /api/ endpoints to trusted IP addresses only
# Nginx example: location /api/ { allow 192.168.1.0/24; deny all; }
Source Code Patch
allManually modify roleBasedAuthMiddleware to return 401 Unauthorized when req.user is undefined
# Locate roleBasedAuthMiddleware in source code and ensure it returns error instead of calling next() when req.user is undefined
🧯 If You Can't Patch
- Implement strict network access controls to restrict API endpoints to trusted IPs only
- Disable authentication (set loginEnabled: false) if administrative functions are not needed
🔍 How to Verify
Check if Vulnerable:
Attempt to access /api/settings endpoint without authentication cookies. If access is granted, the system is vulnerable.Check Version:
Check MyTube version in web interface or configuration files, or run: npm list --global | grep mytubeVerify Fix Applied:
Attempt to access /api/settings endpoint without authentication cookies. Should receive 401 Unauthorized response.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to /api/ endpoints returning 200 OK
- Multiple failed authentication attempts followed by successful API access
- Configuration changes or password reset requests from unauthenticated IPs
Network Indicators:
- HTTP requests to /api/settings, /api/users, or other protected routes without authentication headers
- Unusual API activity from external IP addresses
SIEM Query:
source="mytube" AND (uri_path="/api/*" AND status=200 AND NOT auth_cookie=*)