CVE-2026-33890 HIGH

CVE-2026-33890: MyTube has an Unauthenticated Admin Privilege Escalation via Passkey Registration

Vendor Franklioxygen
Product MyTube
Weakness CWE-284
Published March 27, 2026
Last update March 27, 2026
View on NVD All CVEs

CVSS base score

8.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. Version 1.8.71 fixes the issue.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
March 27, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-34753 Cisco Firepower Threat Defense Ethernet Industrial Protocol Policy Bypass Vulnerabilities CVE-2026-8240 Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure in Backend\SummaryTemplate CVE-2018-5406 The Quest Kace K1000 Appliance misconfigures the Cross-Origin Resource Sharing (CORS) mechanism. CVE-2026-39339 ChurchCRM has an API Authentication Bypass CVE-2024-20675 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability