Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSION_COOKIE_SECURE on every request. Because pyLoad uses the multi-threaded Cheroot WSGI server (request_queue_size=512), this creates a race condition where an attacker's request can influence the Secure flag on other users' session cookies — either downgrading cookie security behind a TLS proxy or causing a session denial-of-service on plain HTTP deployments. This vulnerability is fixed in 0.5.0b3.dev98.
Published: 2026-04-21
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session cookie security downgrade and denial-of-service
Action: Patch
AI Analysis

Impact

The flaw allows an attacker to send a forged X-Forwarded-Proto header that is unvalidated and causes the application to flip the global SESSION_COOKIE_SECURE flag (CWE-346). The race condition in the multithreaded Cheroot server means that one request can change the secure flag for other users' sessions. The likely impact is that secure cookies become transmitted over an insecure connection, giving the attacker the opportunity to hijack those sessions or, in a plain HTTP deployment, to force a denial of service by preventing users from establishing secure sessions.

Affected Systems

The vulnerable software is the pyLoad download manager, versions earlier than 0.5.0b3.dev98. The issue is present in the pyload:pyload product, where the Flask configuration is altered during request handling.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. No EPSS information is available, and the vulnerability is not listed in CISA’s KEV catalog, so it is not a known exploited vulnerability. Exploitation requires the attacker to be able to send a request that includes an X-Forwarded-Proto header or to manipulate traffic through a proxy that the application trusts. The likely attack vector is a network‑based attack that relies on the application accepting an unvalidated header. Although no public exploits are reported at this time, the race condition could allow a malicious actor to downgrade session cookie security or disrupt service, especially on systems lacking TLS.

Generated by OpenCVE AI on April 22, 2026 at 05:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update pyLoad to version 0.5.0b3.dev98 or later.
  • Ensure that the X-Forwarded-Proto header is only accepted from a trusted reverse proxy, or disable the use of this header if not needed.
  • Run the application behind a properly configured HTTPS reverse proxy and verify that only secure connections are allowed.

Generated by OpenCVE AI on April 22, 2026 at 05:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mp82-fmj6-f22v pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Pyload
Pyload pyload
Vendors & Products Pyload
Pyload pyload
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSION_COOKIE_SECURE on every request. Because pyLoad uses the multi-threaded Cheroot WSGI server (request_queue_size=512), this creates a race condition where an attacker's request can influence the Secure flag on other users' session cookies — either downgrading cookie security behind a TLS proxy or causing a session denial-of-service on plain HTTP deployments. This vulnerability is fixed in 0.5.0b3.dev98.
Title pyLoad: Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L'}

Subscriptions

Pyload Pyload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T18:01:30.556Z

Reserved: 2026-04-14T14:07:59.641Z

Link: CVE-2026-40594

cve-icon Vulnrichment

Updated: 2026-04-21T18:01:23.709Z

cve-icon NVD

Status : Received

Published: 2026-04-21T18:16:51.553

Modified: 2026-04-21T19:16:17.430

Link: CVE-2026-40594

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:45:09Z

Weaknesses