CVE-2026-33935

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33935

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33935.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33935

Aliases

GHSA-6w95-qgc4-5jxf

Published

2026-03-27T00:43:49.590Z

Modified

2026-04-10T05:42:58.570295Z

Severity

7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

MyTube has Unauthenticated Account Lockout via Shared Login Attempt State

Details

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in login-attempts.json. When any endpoint records a failed authentication attempt via recordFailedAttempt(), the shared login attempt state is updated, increasing the failedAttempts counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls canAttemptLogin(). This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability.

Database specific

{
    "cwe_ids": [
        "CWE-307"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33935.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/franklioxygen/mytube

Affected ranges

Type

GIT

Repo

https://github.com/franklioxygen/mytube

Events

Introduced

Fixed

5784a578b0640a3f5617a08bd9dfa4ac6e585b66

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.8.72"
        }
    ]
}

Affected versions

v1.*

v1.3.15

v1.3.16

v1.3.17

v1.3.18

v1.3.19

v1.4.0

v1.4.1

v1.4.10

v1.4.11

v1.4.12

v1.4.13

v1.4.14

v1.4.15

v1.4.16

v1.4.17

v1.4.18

v1.4.19

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.4.9

v1.5.0

v1.5.1

v1.5.10

v1.5.11

v1.5.12

v1.5.13

v1.5.14

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.5.7

v1.5.9

v1.6.0

v1.6.1

v1.6.10

v1.6.11

v1.6.12

v1.6.13

v1.6.14

v1.6.15

v1.6.16

v1.6.17

v1.6.18

v1.6.19

v1.6.2

v1.6.20

v1.6.21

v1.6.22

v1.6.23

v1.6.24

v1.6.25

v1.6.26

v1.6.27

v1.6.28

v1.6.29

v1.6.3

v1.6.30

v1.6.31

v1.6.32

v1.6.33

v1.6.34

v1.6.35

v1.6.36

v1.6.37

v1.6.38

v1.6.39

v1.6.4

v1.6.40

v1.6.41

v1.6.42

v1.6.43

v1.6.44

v1.6.45

v1.6.46

v1.6.47

v1.6.48

v1.6.49

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.6.9

v1.7.0

v1.7.1

v1.7.10

v1.7.100

v1.7.101

v1.7.102

v1.7.103

v1.7.104

v1.7.105

v1.7.106

v1.7.107

v1.7.108

v1.7.109

v1.7.11

v1.7.110

v1.7.111

v1.7.112

v1.7.113

v1.7.114

v1.7.115

v1.7.116

v1.7.117

v1.7.12

v1.7.13

v1.7.14

v1.7.15

v1.7.16

v1.7.17

v1.7.18

v1.7.19

v1.7.2

v1.7.20

v1.7.21

v1.7.22

v1.7.23

v1.7.24

v1.7.25

v1.7.26

v1.7.27

v1.7.28

v1.7.29

v1.7.3

v1.7.30

v1.7.31

v1.7.32

v1.7.33

v1.7.34

v1.7.35

v1.7.36

v1.7.37

v1.7.38

v1.7.39

v1.7.4

v1.7.40

v1.7.41

v1.7.42

v1.7.43

v1.7.44

v1.7.45

v1.7.46

v1.7.47

v1.7.48

v1.7.49

v1.7.5

v1.7.50

v1.7.51

v1.7.52

v1.7.53

v1.7.54

v1.7.55

v1.7.56

v1.7.57

v1.7.58

v1.7.59

v1.7.6

v1.7.60

v1.7.61

v1.7.62

v1.7.63

v1.7.64

v1.7.65

v1.7.66

v1.7.67

v1.7.68

v1.7.69

v1.7.7

v1.7.70

v1.7.71

v1.7.72

v1.7.73

v1.7.74

v1.7.75

v1.7.76

v1.7.77

v1.7.78

v1.7.79

v1.7.8

v1.7.80

v1.7.81

v1.7.82

v1.7.83

v1.7.84

v1.7.85

v1.7.86

v1.7.87

v1.7.88

v1.7.89

v1.7.9

v1.7.90

v1.7.91

v1.7.92

v1.7.93

v1.7.94

v1.7.95

v1.7.96

v1.7.97

v1.7.98

v1.7.99

v1.8.0

v1.8.1

v1.8.10

v1.8.11

v1.8.12

v1.8.13

v1.8.14

v1.8.15

v1.8.16

v1.8.17

v1.8.18

v1.8.19

v1.8.2

v1.8.20

v1.8.21

v1.8.22

v1.8.23

v1.8.24

v1.8.25

v1.8.26

v1.8.27

v1.8.28

v1.8.29

v1.8.3

v1.8.30

v1.8.31

v1.8.32

v1.8.33

v1.8.34

v1.8.35

v1.8.36

v1.8.37

v1.8.38

v1.8.39

v1.8.4

v1.8.40

v1.8.41

v1.8.42

v1.8.43

v1.8.44

v1.8.45

v1.8.46

v1.8.47

v1.8.48

v1.8.49

v1.8.5

v1.8.50

v1.8.51

v1.8.52

v1.8.53

v1.8.54

v1.8.55

v1.8.56

v1.8.57

v1.8.58

v1.8.59

v1.8.6

v1.8.60

v1.8.61

v1.8.62

v1.8.63

v1.8.64

v1.8.65

v1.8.66

v1.8.67

v1.8.68

v1.8.69

v1.8.7

v1.8.70

v1.8.71

v1.8.8

v1.8.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33935.json"