MyTube Authentication Bypass Vulnerability in Role-Based Access Control Middleware

An authorization bypass vulnerability has been identified in MyTube, a self-hosted video downloader and player. This vulnerability, present in versions through 1.7.65, allows unauthenticated users to bypass authentication checks in the role-based authentication middleware. By not providing an authentication cookie, requests can be incorrectly processed by downstream handlers. Users with login enabled are particularly affected. Exploitation of this vulnerability enables access to and modification of application settings via the settings API, changes to administrative and visitor passwords, and access to other protected routes that depend on the same middleware.

Impact

Exploitation of this vulnerability allows unauthorized access to application settings, the ability to change administrative and visitor passwords, and access to other protected routes that rely on the affected authentication middleware.

Remediation

Users are advised to upgrade to MyTube version 1.7.66 or later. Those unable to upgrade immediately can restrict network access to the API endpoints or manually patch the authentication middleware to return an error when no user is authenticated.