{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33935", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.103Z", "datePublished": "2026-03-27T00:43:49.590Z", "dateUpdated": "2026-03-27T00:43:49.590Z"}, "containers": {"cna": {"title": "MyTube has Unauthenticated Account Lockout via Shared Login Attempt State", "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-6w95-qgc4-5jxf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-6w95-qgc4-5jxf"}, {"name": "https://github.com/franklioxygen/MyTube/commit/4d89b146b16d08f27d8fd3e0a9122b109335deb1", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/commit/4d89b146b16d08f27d8fd3e0a9122b109335deb1"}, {"name": "https://github.com/franklioxygen/MyTube/commit/752bc7f0ac83df8c881e6b6d5dd6f36bb274ee58", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/commit/752bc7f0ac83df8c881e6b6d5dd6f36bb274ee58"}, {"name": "https://github.com/franklioxygen/MyTube/commit/dd7b4a611fcc5b25a569f379be9a503eb413b6aa", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/commit/dd7b4a611fcc5b25a569f379be9a503eb413b6aa"}, {"name": "https://github.com/franklioxygen/MyTube/blob/941035909ee3f96a6f80f38acf70cbc3e66b5098/backend/src/services/loginAttemptService.ts#L13", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/blob/941035909ee3f96a6f80f38acf70cbc3e66b5098/backend/src/services/loginAttemptService.ts#L13"}], "affected": [{"vendor": "franklioxygen", "product": "MyTube", "versions": [{"version": "< 1.8.72", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:43:49.590Z"}, "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability."}], "source": {"advisory": "GHSA-6w95-qgc4-5jxf", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability."}], "id": "CVE-2026-33935", "lastModified": "2026-03-27T01:16:21.647", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:21.647", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/franklioxygen/MyTube/blob/941035909ee3f96a6f80f38acf70cbc3e66b5098/backend/src/services/loginAttemptService.ts#L13"}, {"source": "security-advisories@github.com", "url": "https://github.com/franklioxygen/MyTube/commit/4d89b146b16d08f27d8fd3e0a9122b109335deb1"}, {"source": "security-advisories@github.com", "url": "https://github.com/franklioxygen/MyTube/commit/752bc7f0ac83df8c881e6b6d5dd6f36bb274ee58"}, {"source": "security-advisories@github.com", "url": "https://github.com/franklioxygen/MyTube/commit/dd7b4a611fcc5b25a569f379be9a503eb413b6aa"}, {"source": "security-advisories@github.com", "url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-6w95-qgc4-5jxf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.72)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MyTube", "source": "cna", "vendor": "franklioxygen"}, "product": "mytube", "vendor": "franklioxygen"}], "analysis": {"en": {"generated_at": "2026-03-27T07:05:57.009573+00:00", "value": {"mitigation_remediation": ["Upgrade MyTube to version\u00a01.8.72 or later to eliminate the shared login\u2011attempt flaw", "Confirm that every password\u2011verification endpoint has the updated logic and that no legacy state files remain", "Monitor authentication logs for abnormal spikes or repeated failed attempts as an early sign of abuse", "If immediate upgrade is not possible, block external traffic to the public login endpoints using firewall or network rules until the update is applied", "Consider enabling per\u2011endpoint lockout policies or disabling unauthenticated access to the affected endpoints as a temporary defense"], "summary": {"action": "Apply Patch", "impact": "Denial of Service via global account lockout"}, "threat_synthesis": {"affected_systems": "The flaw affects Franklioxygen\u2019s MyTube product up to and including version 1.8.71. The vulnerable behavior is present in all publicly accessible password\u2011verification endpoints of the backend service. A fix was introduced in release 1.8.72, which removes the shared login\u2011attempt state and resets the counter per endpoint.", "description_and_impact": "MyTube\u2019s authentication layer exposes three independent password\u2011verification endpoints that all rely on a single shared file to track login attempts. When any endpoint records a failed login, it increments a global counter and starts a cooldown period. Because the same counter and timer are consulted by every endpoint before accepting a password, an unauthenticated attacker can send repeated bad credentials to any of these endpoints and progressively raise the lockout duration. The attacker may then cycle the cooldown to maintain a 24\u2011hour lockout for all users, effectively denying legitimate administrators and visitors from logging in. This vulnerability falls under Weak Authentication (CWE\u2011307) and results in a denial of service for all accounts.", "risk_and_exploitability": "The CVSS base score of 7.7 indicates high availability impact and requires no privileged access, making the threat moderate but significant. No data is available on exploit probability, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting limited evidence of widespread exploitation. However, the attack path is straightforward: an unauthenticated user can abuse any of the three endpoints via simple HTTP requests to a publicly reachable MyTube instance to trigger and maintain the lockout."}}}}, "created": "2026-03-27T08:31:06.508934+00:00", "updated": "2026-03-27T09:22:29.033525+00:00", "vendors": ["franklioxygen", "franklioxygen$PRODUCT$mytube"]}