📄 Description (English)
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue.
🤖 AI Executive Summary
CVE-2026-33735 is a critical authorization bypass vulnerability in MyTube versions prior to 1.8.69 that allows low-privilege users to upload and replace the application's SQLite database via the `/api/settings/import-database` endpoint, resulting in complete application compromise. With an available exploit and CVSS score of 8.8, this vulnerability poses an immediate threat to organizations using self-hosted MyTube instances. The bypass affects multiple POST routes, expanding the attack surface significantly. Immediate patching to version 1.8.69 or later is strongly recommended.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 05:16
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations operating self-hosted MyTube instances for internal video management and distribution. Government entities (NCA, Ministry of Interior) using MyTube for secure video content management face critical risks of unauthorized database manipulation and data exfiltration. Saudi financial institutions and SAMA-regulated entities using MyTube for internal communications could experience unauthorized access to sensitive financial data. Telecommunications companies (STC, Mobily) and media organizations hosting MyTube instances are at high risk of content manipulation and service disruption. Healthcare organizations (MOH) using MyTube for medical training or internal communications face patient data exposure risks. The vulnerability's ability to completely compromise the application makes it particularly dangerous in regulated sectors requiring data integrity and confidentiality.
🏢 Affected Saudi Sectors
Government
Banking and Financial Services
Healthcare
Energy and Utilities
Telecommunications
Media and Broadcasting
Education
Defense and Security
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all MyTube instances in your environment running versions prior to 1.8.69
2. Restrict network access to MyTube instances to authorized users only using firewall rules
3. Disable or restrict access to the `/api/settings/import-database` endpoint immediately
4. Review access logs for suspicious database import activities and unauthorized API calls
5. Audit user accounts with API access and revoke unnecessary credentials
PATCHING GUIDANCE:
1. Upgrade MyTube to version 1.8.69 or later immediately
2. Test patches in a non-production environment first
3. Implement a phased rollout for production instances
4. Verify patch application by checking version numbers post-deployment
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement Web Application Firewall (WAF) rules to block POST requests to `/api/settings/import-database`
2. Enforce multi-factor authentication for all API access
3. Implement IP whitelisting for API endpoints
4. Enable comprehensive audit logging for all database operations
5. Implement database backup and integrity verification mechanisms
6. Use read-only database replicas where possible
DETECTION RULES:
1. Monitor for POST requests to `/api/settings/import-database` endpoint
2. Alert on database file modifications outside scheduled maintenance windows
3. Track failed and successful authentication attempts to API endpoints
4. Monitor for unusual database size changes or corruption indicators
5. Log all API calls from low-privilege accounts to sensitive endpoints
6. Implement file integrity monitoring (FIM) on SQLite database files
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ MyTube في بيئتك التي تعمل بإصدارات سابقة للإصدار 1.8.69
2. تقييد الوصول إلى شبكة نسخ MyTube للمستخدمين المصرح لهم فقط باستخدام قواعد جدار الحماية
3. تعطيل أو تقييد الوصول إلى نقطة النهاية `/api/settings/import-database` فوراً
4. مراجعة سجلات الوصول للأنشطة المريبة لاستيراد قاعدة البيانات والاتصالات API غير المصرح بها
5. تدقيق حسابات المستخدمين التي لها وصول API وإلغاء بيانات الاعتماد غير الضرورية
إرشادات التصحيح:
1. ترقية MyTube إلى الإصدار 1.8.69 أو أحدث فوراً
2. اختبار التصحيحات في بيئة غير إنتاجية أولاً
3. تنفيذ طرح متدرج لنسخ الإنتاج
4. التحقق من تطبيق التصحيح بفحص أرقام الإصدار بعد النشر
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تنفيذ قواعد جدار تطبيقات الويب (WAF) لحظر طلبات POST إلى `/api/settings/import-database`
2. فرض المصادقة متعددة العوامل لجميع وصول API
3. تنفيذ قائمة بيضاء IP لنقاط نهاية API
4. تفعيل تسجيل التدقيق الشامل لجميع عمليات قاعدة البيانات
5. تنفيذ آليات النسخ الاحتياطي والتحقق من سلامة قاعدة البيانات
6. استخدام نسخ قاعدة البيانات للقراءة فقط حيث أمكن
قواعد الكشف:
1. مراقبة طلبات POST إلى نقطة النهاية `/api/settings/import-database`
2. التنبيه على تعديلات ملفات قاعدة البيانات خارج نوافذ الصيانة المجدولة
3. تتبع محاولات المصادقة الفاشلة والناجحة لنقاط نهاية API
4. مراقبة تغييرات حجم قاعدة البيانات غير العادية أو مؤشرات الفساد
5. تسجيل جميع استدعاءات API من حسابات ذات امتيازات منخفضة إلى نقاط نهاية حساسة
6. تنفيذ مراقبة سلامة الملفات (FIM) على ملفات قاعدة بيانات SQLite
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.1.1 - Access control policy and procedures
ECC 2024 A.9.2.1 - User registration and de-registration
ECC 2024 A.9.4.3 - Password management
ECC 2024 A.12.4.1 - Event logging
ECC 2024 A.14.2.1 - Secure development policy
🔵 SAMA CSF
SAMA CSF ID.AC-1 - Identity and Access Management
SAMA CSF ID.AC-3 - Access Control and Authorization
SAMA CSF DE.AE-1 - Audit and Accountability
SAMA CSF DE.CM-1 - Detection and Analysis
SAMA CSF RS.RP-1 - Response Planning
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.8.2 - Privileged access rights
ISO 27001:2022 A.8.3 - Information access restriction
ISO 27001:2022 A.12.4 - Logging
ISO 27001:2022 A.14.2 - Secure development
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Restrict access to system components
PCI DSS 6.5.10 - Broken authentication
PCI DSS 7.1 - Limit access to system components
PCI DSS 10.2 - Implement automated audit trails
🔗 References & Sources 4
🔗
https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/b...
security-advisories@github.com
Product
🔗
https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466
security-advisories@github.com
Patch
🔗
https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2
security-advisories@github.com
Exploit
Vendor Advisory
🔗
https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Vendor Advisory
📦 Affected Products / CPE 1 entries
franklioxygen:mytube