CVE-2026-33890

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33890
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33890.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33890
Aliases
  • GHSA-378w-xh68-qrc8
Published
2026-03-27T00:38:50.089Z
Modified
2026-04-10T05:42:57.430976Z
Severity
  • 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
MyTube has an Unauthenticated Admin Privilege Escalation via Passkey Registration
Details

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. Version 1.8.71 fixes the issue.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33890.json",
    "cwe_ids": [
        "CWE-284"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/franklioxygen/mytube

Affected ranges

Type
GIT
Repo
https://github.com/franklioxygen/mytube
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
941035909ee3f96a6f80f38acf70cbc3e66b5098
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.8.71"
        }
    ]
}

Affected versions

v1.*
v1.3.15
v1.3.16
v1.3.17
v1.3.18
v1.3.19
v1.4.0
v1.4.1
v1.4.10
v1.4.11
v1.4.12
v1.4.13
v1.4.14
v1.4.15
v1.4.16
v1.4.17
v1.4.18
v1.4.19
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.9
v1.5.0
v1.5.1
v1.5.10
v1.5.11
v1.5.12
v1.5.13
v1.5.14
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.9
v1.6.0
v1.6.1
v1.6.10
v1.6.11
v1.6.12
v1.6.13
v1.6.14
v1.6.15
v1.6.16
v1.6.17
v1.6.18
v1.6.19
v1.6.2
v1.6.20
v1.6.21
v1.6.22
v1.6.23
v1.6.24
v1.6.25
v1.6.26
v1.6.27
v1.6.28
v1.6.29
v1.6.3
v1.6.30
v1.6.31
v1.6.32
v1.6.33
v1.6.34
v1.6.35
v1.6.36
v1.6.37
v1.6.38
v1.6.39
v1.6.4
v1.6.40
v1.6.41
v1.6.42
v1.6.43
v1.6.44
v1.6.45
v1.6.46
v1.6.47
v1.6.48
v1.6.49
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v1.7.0
v1.7.1
v1.7.10
v1.7.100
v1.7.101
v1.7.102
v1.7.103
v1.7.104
v1.7.105
v1.7.106
v1.7.107
v1.7.108
v1.7.109
v1.7.11
v1.7.110
v1.7.111
v1.7.112
v1.7.113
v1.7.114
v1.7.115
v1.7.116
v1.7.117
v1.7.12
v1.7.13
v1.7.14
v1.7.15
v1.7.16
v1.7.17
v1.7.18
v1.7.19
v1.7.2
v1.7.20
v1.7.21
v1.7.22
v1.7.23
v1.7.24
v1.7.25
v1.7.26
v1.7.27
v1.7.28
v1.7.29
v1.7.3
v1.7.30
v1.7.31
v1.7.32
v1.7.33
v1.7.34
v1.7.35
v1.7.36
v1.7.37
v1.7.38
v1.7.39
v1.7.4
v1.7.40
v1.7.41
v1.7.42
v1.7.43
v1.7.44
v1.7.45
v1.7.46
v1.7.47
v1.7.48
v1.7.49
v1.7.5
v1.7.50
v1.7.51
v1.7.52
v1.7.53
v1.7.54
v1.7.55
v1.7.56
v1.7.57
v1.7.58
v1.7.59
v1.7.6
v1.7.60
v1.7.61
v1.7.62
v1.7.63
v1.7.64
v1.7.65
v1.7.66
v1.7.67
v1.7.68
v1.7.69
v1.7.7
v1.7.70
v1.7.71
v1.7.72
v1.7.73
v1.7.74
v1.7.75
v1.7.76
v1.7.77
v1.7.78
v1.7.79
v1.7.8
v1.7.80
v1.7.81
v1.7.82
v1.7.83
v1.7.84
v1.7.85
v1.7.86
v1.7.87
v1.7.88
v1.7.89
v1.7.9
v1.7.90
v1.7.91
v1.7.92
v1.7.93
v1.7.94
v1.7.95
v1.7.96
v1.7.97
v1.7.98
v1.7.99
v1.8.0
v1.8.1
v1.8.10
v1.8.11
v1.8.12
v1.8.13
v1.8.14
v1.8.15
v1.8.16
v1.8.17
v1.8.18
v1.8.19
v1.8.2
v1.8.20
v1.8.21
v1.8.22
v1.8.23
v1.8.24
v1.8.25
v1.8.26
v1.8.27
v1.8.28
v1.8.29
v1.8.3
v1.8.30
v1.8.31
v1.8.32
v1.8.33
v1.8.34
v1.8.35
v1.8.36
v1.8.37
v1.8.38
v1.8.39
v1.8.4
v1.8.40
v1.8.41
v1.8.42
v1.8.43
v1.8.44
v1.8.45
v1.8.46
v1.8.47
v1.8.48
v1.8.49
v1.8.5
v1.8.50
v1.8.51
v1.8.52
v1.8.53
v1.8.54
v1.8.55
v1.8.56
v1.8.57
v1.8.58
v1.8.59
v1.8.6
v1.8.60
v1.8.61
v1.8.62
v1.8.63
v1.8.64
v1.8.65
v1.8.66
v1.8.67
v1.8.68
v1.8.69
v1.8.7
v1.8.70
v1.8.8
v1.8.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33890.json"