Which versions of Mytube are affected by CVE-2026-33890?

MyTube versions before 1.8.71 contain a critical authentication bypass that allows any unauthenticated attacker to register passkeys and gain full administrator access, potentially compromising the…. A patch is available.

How to fix or mitigate CVE-2026-33890?

Within 24 hours: Identify all MyTube instances in your environment and confirm current versions below 1.8.71. Within 7 days: Apply vendor-released patch version 1.8.71 to all affected MyTube deployments; take applications offline if patching cannot be completed within this window. Within 30 days: Conduct post-patch audit of passkey registrations and administrator accounts created during the vulnerability window; review access logs for unauthorized administrative activity.

Mytube CVE-2026-33890

Q: What is the CVSS score of CVE-2026-33890?

CVE-2026-33890 has a CVSS 4.0 base score of 8.9 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-16519 HIGH

Improper Access Control (CWE-284)

2026-03-27 GitHub_M

Authentication Bypass Mytube

8.9

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.9 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:12 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.8.71

EUVD ID Assigned

Mar 27, 2026 - 01:15 euvd

EUVD-2026-16519

Analysis Generated

Mar 27, 2026 - 01:15 vuln.today

CVE Published

Mar 27, 2026 - 00:38 nvd

HIGH 8.9

DescriptionGitHub Advisory

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. Version 1.8.71 fixes the issue.

AnalysisAI

MyTube versions prior to 1.8.71 allow unauthenticated remote attackers to register arbitrary passkeys and obtain full administrator access without any existing credentials. The vulnerability stems from exposed passkey registration endpoints that lack authentication checks and automatically grant admin tokens to any successfully registered passkey, enabling complete application compromise. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send unauthenticated request to passkey registration endpoint

Delivery

Exploit

Authenticate with registered passkey

Execution

Receive admin session token

Impact

Gain full administrative access to MyTube