Description
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch.
Published: 2026-03-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Cloud Metadata Exfiltration via SSRF
Action: Immediate Patch
AI Analysis

Impact

PyLoad's download engine, before version 0.5.0b3.dev97, accepts any user-supplied URL without validation, creating a Server‑Side Request Forgery (CWE‑918). An authenticated attacker can submit a malicious link that forces the server to fetch the target, enabling access to internal network services and extraction of cloud provider metadata, including droplet identifiers, network configuration, region, authentication keys, and SSH keys exposed in user‑data on DigitalOcean droplets.

Affected Systems

Every pyLoad instance running a version earlier than 0.5.0b3.dev97 is affected. The flaw applies to any user who can submit download links through the web interface or API when authenticated.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical risk. Exploitation requires only an authenticated account on the pyLoad service, making it readily feasible for legitimate or compromised users. No EPSS data is available, and the vulnerability is not listed in the KEV catalog, but the potential to expose sensitive infrastructure data makes the threat significant.

Generated by OpenCVE AI on March 28, 2026 at 06:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pyLoad to version 0.5.0b3.dev97 or later, which includes the URL validation patch.
  • If an upgrade cannot be performed immediately, enforce server‑side URL validation or apply a whitelist of allowed target domains to block arbitrary URL submissions.
  • Monitor pyLoad access logs for unexpected outbound connections and consider restricting authenticated access to the download interface if feasible.

Generated by OpenCVE AI on March 28, 2026 at 06:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m74m-f7cr-432x pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
History

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Pyload
Pyload pyload
Vendors & Products Pyload
Pyload pyload

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch.
Title pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Pyload Pyload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T22:12:39.606Z

Reserved: 2026-03-24T22:20:06.211Z

Link: CVE-2026-33992

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T23:17:14.070

Modified: 2026-03-30T13:26:07.647

Link: CVE-2026-33992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:59:55Z

Weaknesses