Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all. This vulnerability is fixed in 0.5.0b3.dev97.
Published: 2026-04-07
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Configuration Modification
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in pyLoad’s configuration handling stems from a mismatch in the option names used in the admin‑only authorization check. The check references ssl_cert and ssl_key, while the correct configuration options are ssl_certfile and ssl_keyfile; consequently, the check always fails. As a result, any user granted SETTINGS permission can alter the SSL certificate and key file paths in the software’s configuration, effectively bypassing the intended admin restriction. This can allow an attacker to supply a forged certificate or redirect secure traffic to a malicious endpoint, exposing sensitive data or enabling man‑in‑the‑middle attacks.

Affected Systems

The issue affects all installations of pyLoad version 0.5.0b3.dev96 and earlier. Users running the 0.5.0b3.dev97 release or later are not impacted, as the patch corrects the option names in the authorization set. The vulnerability is limited to the pyLoad download manager and its upstream maintenance branch under the pyload:pyload CNA.

Risk and Exploitability

The CVSS base score of 6.8 reflects a moderate severity due to the compromise of configuration integrity. Because the bypass is tied to the SETTINGS permission, attackers must first obtain at least that level of access to the pyLoad instance; no external network exploit is required beyond the normal privileged actions. EPSS data is unavailable, and the vulnerability is not presently listed in CISA’s KEV catalog. In typical deployment scenarios, an intruder with local or trusted remote access to the web interface or backend services is capable of changing the certificate paths and could be leveraged to facilitate man‑in‑the‑middle attacks or downgrade SSL, posing a significant confidentiality risk.

Generated by OpenCVE AI on April 7, 2026 at 22:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest pyLoad release (0.5.0b3.dev97 or later) to fix the option name mismatch.
  • If an immediate upgrade is not possible, restrict the SETTINGS permission to trusted administrators and review user roles to ensure only privileged users can modify configuration.
  • Verify that ssl_certfile and ssl_keyfile options point to legitimate, uncompromised certificate files and that the ssl_certchain option is correctly configured.
  • Restrict file system permissions on pyLoad’s configuration files so that only the application owner can modify them.
  • Consider disabling or monitoring the SETTINGS permission in the user management interface to detect unauthorized changes.

Generated by OpenCVE AI on April 7, 2026 at 22:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ppvx-rwh9-7rj7 pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Pyload
Pyload pyload
Vendors & Products Pyload
Pyload pyload

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all. This vulnerability is fixed in 0.5.0b3.dev97.
Title Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Pyload Pyload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T18:16:14.387Z

Reserved: 2026-04-03T20:09:02.828Z

Link: CVE-2026-35586

cve-icon Vulnrichment

Updated: 2026-04-07T18:16:10.547Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T17:16:34.140

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-35586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:48:02Z

Weaknesses