CVE-2026-23837
Published: 19 January 2026
Description
MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication cookie…
more
(making req.user undefined), a request is incorrectly passed through to downstream handlers. All users running MyTube with loginEnabled: true are impacted. This flaw allows an attacker to access and modify application settings via /api/settings, change administrative and visitor passwords, and access other protected routes that rely on this specific middleware. The problem is patched in v1.7.66. MyTube maintainers recommend all users upgrade to at least version v1.7.64 immediately to secure their instances. The fix ensures that the middleware explicitly blocks requests if a user is not authenticated, rather than defaulting to next(). Those who cannot upgrade immediately can mitigate risk by restricting network access by usi a firewall or reverse proxy (like Nginx) to restrict access to the /api/ endpoints to trusted IP addresses only or, if they are comfortable editing the source code, manually patch by locating roleBasedAuthMiddleware and ensuring that the logic defaults to an error (401 Unauthorized) when req.user is undefined, instead of calling next().
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations, directly addressing the roleBasedAuthMiddleware's failure to block unauthenticated requests to protected routes like /api/settings.
SI-2 mandates timely identification, reporting, and correction of flaws, enabling patching of the authentication bypass vulnerability as fixed in MyTube v1.7.66.
SC-7 provides boundary protection via firewalls or reverse proxies to restrict network access to vulnerable /api/ endpoints from untrusted IPs, as recommended in the advisory.
Security SummaryAI
CVE-2026-23837 is an authentication bypass vulnerability in the roleBasedAuthMiddleware of MyTube, a self-hosted downloader and player for video websites. The flaw affects version 1.7.65 and potentially earlier versions, impacting all instances where loginEnabled is set to true. It occurs when unauthenticated requests omit the authentication cookie, leaving req.user undefined, which causes the middleware to incorrectly pass the request to downstream handlers instead of blocking it. The vulnerability is rated CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-863 (Incorrect Authorization).
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no privileges required. By simply omitting the authentication cookie in requests, attackers bypass mandatory authentication checks, gaining unauthorized access to protected routes. This enables them to access and modify application settings via the /api/settings endpoint, change administrative and visitor passwords, and interact with other routes dependent on this middleware, potentially leading to full compromise of the MyTube instance.
The vulnerability is patched in MyTube version 1.7.66, which modifies the roleBasedAuthMiddleware to explicitly block unauthenticated requests with a 401 Unauthorized response instead of calling next(). MyTube maintainers, via their GitHub security advisory (GHSA-cmvj-g69f-8664) and commit (f85ae9b0d6e4a6480c6af5b675a99069d08d496e), urge users to upgrade to at least version 1.7.64 immediately. For those unable to upgrade, mitigations include restricting network access to /api/ endpoints using a firewall or reverse proxy like Nginx to allow only trusted IP addresses, or manually editing the source code to enforce a 401 error when req.user is undefined.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-23837 is an authentication bypass in the public-facing MyTube web application, allowing unauthenticated remote attackers to access protected API endpoints like /api/settings without privileges, directly enabling T1190: Exploit Public-Facing Application.