MyTube Allows Unauthorized Database Export by Guest Users_CVE-2026-24139

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view.

Basic Information

ID CVE-2026-24139

Source GitHub_M

Published Jan 23, 2026 at 23:55

Affected Product

Vendor franklioxygen

Product MyTube

Version < 1.7.79

Affected Versions franklioxygen MyTube < 1.7.79

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view.",
    "published": "2026-01-23T23:55:23.541Z",
    "modified": "2026-01-23T23:55:23.541Z",
    "type": "cve",
    "title": "MyTube Allows Unauthorized Database Export by Guest Users",
    "source": "GitHub_M",
    "references": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-hhc3-8q8c-89q7\nhttps://github.com/franklioxygen/MyTube/commit/e271775e27d51b26e54731b7b874447f47a1f280",
    "id": "CVE-2026-24139",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "franklioxygen MyTube < 1.7.79",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MyTube",
    "version": "< 1.7.79",
    "vendor": "franklioxygen",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}