CVE-2026-33935 (GCVE-0-2026-33935)
Vulnerability from cvelistv5 – Published: 2026-03-27 00:43 – Updated: 2026-03-27 20:02
VLAI?
Title
MyTube has Unauthenticated Account Lockout via Shared Login Attempt State
Summary
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability.
Severity ?
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| franklioxygen | MyTube |
Affected:
< 1.8.72
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33935",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T20:02:10.135497Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T20:02:20.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MyTube",
"vendor": "franklioxygen",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.72"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T00:43:49.590Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-6w95-qgc4-5jxf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-6w95-qgc4-5jxf"
},
{
"name": "https://github.com/franklioxygen/MyTube/commit/4d89b146b16d08f27d8fd3e0a9122b109335deb1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/franklioxygen/MyTube/commit/4d89b146b16d08f27d8fd3e0a9122b109335deb1"
},
{
"name": "https://github.com/franklioxygen/MyTube/commit/752bc7f0ac83df8c881e6b6d5dd6f36bb274ee58",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/franklioxygen/MyTube/commit/752bc7f0ac83df8c881e6b6d5dd6f36bb274ee58"
},
{
"name": "https://github.com/franklioxygen/MyTube/commit/dd7b4a611fcc5b25a569f379be9a503eb413b6aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/franklioxygen/MyTube/commit/dd7b4a611fcc5b25a569f379be9a503eb413b6aa"
},
{
"name": "https://github.com/franklioxygen/MyTube/blob/941035909ee3f96a6f80f38acf70cbc3e66b5098/backend/src/services/loginAttemptService.ts#L13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/franklioxygen/MyTube/blob/941035909ee3f96a6f80f38acf70cbc3e66b5098/backend/src/services/loginAttemptService.ts#L13"
}
],
"source": {
"advisory": "GHSA-6w95-qgc4-5jxf",
"discovery": "UNKNOWN"
},
"title": "MyTube has Unauthenticated Account Lockout via Shared Login Attempt State"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33935",
"datePublished": "2026-03-27T00:43:49.590Z",
"dateReserved": "2026-03-24T19:50:52.103Z",
"dateUpdated": "2026-03-27T20:02:20.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33935\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-27T01:16:21.647\",\"lastModified\":\"2026-03-30T13:26:29.793\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability.\"},{\"lang\":\"es\",\"value\":\"MyTube es un descargador y reproductor autoalojado para varios sitios web de videos. Antes de la versi\u00f3n 1.8.72, un atacante no autenticado puede bloquear las cuentas de administrador y visitante de la autenticaci\u00f3n basada en contrase\u00f1a al desencadenar intentos de inicio de sesi\u00f3n fallidos. La aplicaci\u00f3n expone tres puntos finales de verificaci\u00f3n de contrase\u00f1a, todos los cuales son de acceso p\u00fablico. Los tres puntos finales comparten un \u00fanico estado de intento de inicio de sesi\u00f3n respaldado por archivo almacenado en \u0027login-attempts.json\u0027. Cuando cualquier punto final registra un intento de autenticaci\u00f3n fallido a trav\u00e9s de \u0027recordFailedAttempt()\u0027, el estado compartido de intento de inicio de sesi\u00f3n se actualiza, aumentando el contador \u0027failedAttempts\u0027 y ajustando las marcas de tiempo y los valores de enfriamiento asociados. Antes de verificar una contrase\u00f1a, cada punto final llama a \u0027canAttemptLogin()\u0027. Esta funci\u00f3n verifica el archivo JSON compartido para determinar si un per\u00edodo de enfriamiento est\u00e1 activo. Si el enfriamiento no ha expirado, la solicitud es rechazada antes de que la contrase\u00f1a sea validada. Debido a que el contador de intentos fallidos y el temporizador de enfriamiento se comparten globalmente, los intentos de autenticaci\u00f3n fallidos contra cualquier punto final afectan a todos los dem\u00e1s puntos finales. Un atacante puede explotar esto enviando repetidamente solicitudes de autenticaci\u00f3n inv\u00e1lidas a cualquiera de estos puntos finales, incrementando el contador compartido y esperando el per\u00edodo de enfriamiento entre intentos. Al hacerlo, el atacante puede aumentar progresivamente la duraci\u00f3n del bloqueo hasta que alcance las 24 horas, impidiendo efectivamente que los usuarios leg\u00edtimos se autentiquen. Una vez que se alcanza el bloqueo m\u00e1ximo, el atacante puede mantener la denegaci\u00f3n de servicio indefinidamente esperando que expire el enfriamiento y enviando otro intento fallido, lo que desencadena inmediatamente otro bloqueo de 24 horas si no se produjo ning\u00fan inicio de sesi\u00f3n exitoso mientras tanto. La versi\u00f3n 1.8.72 corrige la vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-307\"}]}],\"references\":[{\"url\":\"https://github.com/franklioxygen/MyTube/blob/941035909ee3f96a6f80f38acf70cbc3e66b5098/backend/src/services/loginAttemptService.ts#L13\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/franklioxygen/MyTube/commit/4d89b146b16d08f27d8fd3e0a9122b109335deb1\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/franklioxygen/MyTube/commit/752bc7f0ac83df8c881e6b6d5dd6f36bb274ee58\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/franklioxygen/MyTube/commit/dd7b4a611fcc5b25a569f379be9a503eb413b6aa\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/franklioxygen/MyTube/security/advisories/GHSA-6w95-qgc4-5jxf\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33935\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-27T20:02:10.135497Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-27T20:02:16.543Z\"}}], \"cna\": {\"title\": \"MyTube has Unauthenticated Account Lockout via Shared Login Attempt State\", \"source\": {\"advisory\": \"GHSA-6w95-qgc4-5jxf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"franklioxygen\", \"product\": \"MyTube\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.8.72\"}]}], \"references\": [{\"url\": \"https://github.com/franklioxygen/MyTube/security/advisories/GHSA-6w95-qgc4-5jxf\", \"name\": \"https://github.com/franklioxygen/MyTube/security/advisories/GHSA-6w95-qgc4-5jxf\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/franklioxygen/MyTube/commit/4d89b146b16d08f27d8fd3e0a9122b109335deb1\", \"name\": \"https://github.com/franklioxygen/MyTube/commit/4d89b146b16d08f27d8fd3e0a9122b109335deb1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/franklioxygen/MyTube/commit/752bc7f0ac83df8c881e6b6d5dd6f36bb274ee58\", \"name\": \"https://github.com/franklioxygen/MyTube/commit/752bc7f0ac83df8c881e6b6d5dd6f36bb274ee58\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/franklioxygen/MyTube/commit/dd7b4a611fcc5b25a569f379be9a503eb413b6aa\", \"name\": \"https://github.com/franklioxygen/MyTube/commit/dd7b4a611fcc5b25a569f379be9a503eb413b6aa\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/franklioxygen/MyTube/blob/941035909ee3f96a6f80f38acf70cbc3e66b5098/backend/src/services/loginAttemptService.ts#L13\", \"name\": \"https://github.com/franklioxygen/MyTube/blob/941035909ee3f96a6f80f38acf70cbc3e66b5098/backend/src/services/loginAttemptService.ts#L13\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-307\", \"description\": \"CWE-307: Improper Restriction of Excessive Authentication Attempts\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-27T00:43:49.590Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33935\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-27T20:02:20.942Z\", \"dateReserved\": \"2026-03-24T19:50:52.103Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-27T00:43:49.590Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…