CVE-2026-40594Origin Validation Error in Project Pyload-ng

CWE-346Origin Validation Error1 documents1 sources
Severity
MEDIUM
No vector
EPSS
No EPSS data
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Pyload-ng Project Pyload-ng
Timeline
PublishedApr 16

Description

pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition) ## Summary The `set_session_cookie_secure` `before_request` handler in `src/pyload/webui/app/__init__.py` reads the `X-Forwarded-Proto` header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the **global** Flask configuration `SESSION_COOKIE_SECURE` on every request. Because pyLoad uses the multi-threaded Cheroot WS

Affected Packages1 packages

PyPIpyload-ng_project/pyload-ng< 0.5.0b3.dev98

🔴Vulnerability Details

1
GHSA
pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)2026-04-16
CVE-2026-40594 — Origin Validation Error | cvebase