Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. This vulnerability is fixed in 0.5.0b3.dev97.
Published: 2026-04-09
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

The vulnerability allows authenticated users with low privileges to perform MODIFY operations through the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints. These endpoints enforce weaker permissions than the core API methods they call, permitting actions such as adding or deleting users that should be denied. This results in unauthorized modification of configuration and potentially access to protected resources. The weakness is a classic permission mismatch, identified as CWE‑863, and directly facilitates privilege escalation within the pyLoad system.

Affected Systems

pyLoad users running versions prior to 0.5.0b3.dev97 are affected. The offending components are the three WebUI JSON endpoints that expose modify functionality. Any deployment of pyLoad before the stated patch contains the flaw.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity. Exploitation requires the attacker to be authenticated to the pyLoad WebUI, so the attack vector is internal or remote but limited to known users. No EPSS score is provided, and the flaw is not listed in the CISA KEV catalog. Because the flaw is limited to the WebUI and does not enable remote code execution, the risk is constrained to privilege escalation and data modification for authenticated users.

Generated by OpenCVE AI on April 9, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pyLoad to version 0.5.0b3.dev97 or later

Generated by OpenCVE AI on April 9, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rfgh-63mg-8pwm pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions
History

Tue, 28 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*

Fri, 10 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Pyload
Pyload pyload
Vendors & Products Pyload
Pyload pyload

Thu, 09 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. This vulnerability is fixed in 0.5.0b3.dev97.
Title pyLoad WebUI JSON permission mismatch lets ADD/DELETE users invoke MODIFY-only actions
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Pyload Pyload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T14:09:11.900Z

Reserved: 2026-04-09T00:39:12.204Z

Link: CVE-2026-40071

cve-icon Vulnrichment

Updated: 2026-04-10T14:08:54.731Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T18:17:03.367

Modified: 2026-04-28T00:53:26.420

Link: CVE-2026-40071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:31:53Z

Weaknesses