Bypass of Authentication in MyTube by Frankli Oxygen
CVE-2026-23837

9.8CRITICAL

Key Information:

Vendor

Franklioxygen

Status
Mytube
Vendor
CVE Published:
19 January 2026

What is CVE-2026-23837?

MyTube, a self-hosted video downloader and player, contains a vulnerability that allows unauthenticated users to bypass necessary authentication checks due to improper handling of user authentication. Specifically, when the 'roleBasedAuthMiddleware' receives a request without an authentication cookie, it improperly passes the request through to subsequent handlers, exposing sensitive routes like /api/settings. This flaw compromises application settings, potentially enabling unauthorized modifications to passwords and protected data. Users of MyTube with 'loginEnabled' set to true are at risk, emphasizing the urgent need for updating to version v1.7.66, which addresses this issue by enforcing strict authentication checks. Alternatively, users unable to upgrade should consider using firewalls or reverse proxies to limit access to the affected endpoints.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

MyTube < 1.7.66

References

https://github.com/franklioxygen/MyTube/security/advisori...
x_refsource_CONFIRM
https://github.com/franklioxygen/MyTube/commit/f85ae9b0d6...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.