CVE-2026-35586
published 2026-04-07CVE-2026-35586: pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in…
PriorityP340medium6.8CVSS 3.1
AVNACHPRLUINSUCHIHAN
EPSS
0.14%
3.9th percentile
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all. This vulnerability is fixed in 0.5.0b3.dev97.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pyload-ng_project | pyload-ng | < 0.5.0b3.dev100 | 0.5.0b3.dev100 |
| pyload-ng_project | pyload-ng | <= 0.5.0b3.dev96 | — |
| pyload-ng_project | pyload-ng | >= 0 < 0.5.0b3.dev100 | 0.5.0b3.dev100 |
| pyload-ng_project | pyload-ng | >= 0 < 0.5.0b3.dev97 | 0.5.0b3.dev97 |
| pyload | pyload | < 0.5.0b3.dev97 | 0.5.0b3.dev97 |
CVSS provenance
nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
ghsa8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -355
ghsa·2026-05-04·CVSS 8.8
CVE-2026-42313 [HIGH] CWE-441 pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -355
pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
### Summary
The `set_config_value()` API method (`@permission(Perms.SETTINGS)`) in `src/pyload/core/api/__init__.py` gates security-sensitive options behind a hand-maintained allowlist `ADMIN_ONLY_CORE_OPTIONS`. The allowlist contains `("proxy", "username")` and `("proxy", "password")` — which protect the proxy credentials — but it does **not** include `("proxy", "enabled")`, `("proxy", "host")`, `("proxy", "port")`, or `("proxy", "type")`. Any authenticated user with the non-admin `SETTINGS` permission can enable proxying and point pyload at any host they control. From that point, every
GHSA
pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
ghsa·2026-05-04·CVSS 8.8
CVE-2026-42312 [HIGH] CWE-295 pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
### Summary
The `set_config_value()` API method (`@permission(Perms.SETTINGS)`) in `src/pyload/core/api/__init__.py` gates security-sensitive options behind a hand-maintained allowlist `ADMIN_ONLY_CORE_OPTIONS`. The option `("general", "ssl_verify")` is **not** on that allowlist. Any authenticated user with the non-admin `SETTINGS` permission can set `general.ssl_verify = off`, and every subsequent outbound pycurl request is made with `SSL_VERIFYPEER=0` and `SSL_VERIFYHOST=0` — TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload
OSV
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
osv·2026-04-08
CVE-2026-35586 [MEDIUM] pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
## Summary
The `ADMIN_ONLY_CORE_OPTIONS` authorization set in `set_config_value()` uses incorrect option names `ssl_cert` and `ssl_key`, while the actual configuration option names are `ssl_certfile` and `ssl_keyfile`. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the `ssl_certchain` option was never added to the admin-only set at all.
## Details
The vulnerability is in `src/pyload/core/api/__init__.py`. The `ADMIN_ONLY_CORE_OPTIONS` set is defined at lines 237-248:
```python
ADMIN_ONLY_CORE_OPTIONS = {
("general", "storage_folder"),
("lo
GHSA
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
ghsa·2026-04-08
CVE-2026-35586 [MEDIUM] CWE-863 pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
## Summary
The `ADMIN_ONLY_CORE_OPTIONS` authorization set in `set_config_value()` uses incorrect option names `ssl_cert` and `ssl_key`, while the actual configuration option names are `ssl_certfile` and `ssl_keyfile`. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the `ssl_certchain` option was never added to the admin-only set at all.
## Details
The vulnerability is in `src/pyload/core/api/__init__.py`. The `ADMIN_ONLY_CORE_OPTIONS` set is defined at lines 237-248:
```python
ADMIN_ONLY_CORE_OPTIONS = {
("general", "storage_folder"),
("lo
No detection rules found.
No public exploits indexed.
2026-04-07
Published