CVE-2026-41133 - Vulnerability Details

- pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)

Description

pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions. This is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature. Commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 contains a fix for the issue.

Published: 2026-04-21

Score: 8.8 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

pyLoad versions through 0.5.0b3.dev97 cache the user’s role and permissions in the session at login. When an administrator later changes a user’s role or permissions in the database, the cached values remain in the session and continue to be used for authorization, allowing the user to maintain revoked privileges until the session ends or the user logs out. This flaw is a core authorization and session consistency issue, classified as CWE-613.

Affected Systems

The pyLoad download manager, vendor pyload:pyload, is affected by this bug in all releases up to and including 0.5.0b3.dev97. Users relying on earlier roles and permissions can retain those privileges after an update to their account in the database.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. An attacker who has an active session prior to a role or permission change can exploit the stale session data to perform privileged actions without re‑authenticating. Although no public exploit is currently documented, the high severity and the fact that the flaw persists until logout make it a significant risk for environments where role changes occur frequently.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pyload

affected

Version	Status	Constraints
`<= 0.5.0b3.dev97`	affected	—

No data.

Vendor Product Confidence Versions

Pyload

100%

Version	Status	Scheme	Platform
`[0,0.5.0b3.dev97]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the patch corresponding to commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 to resolve stale session authorization.
Upgrade to pyLoad version 0.5.0b4 or later, which contains the fix for this issue.
Ensure all user sessions are invalidated or users are forced to log out immediately after any change to roles or permissions to prevent use of stale privileges.

Generated by OpenCVE AI on April 22, 2026 at 04:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1
https://github.com/pyload/pyload/security/advisories/GHSA-66hx-chf7-3332

History

Wed, 22 Apr 2026 01:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pyload Pyload pyload
Vendors & Products		Pyload Pyload pyload

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions. This is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature. Commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 contains a fix for the issue.
Title		pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
Weaknesses		CWE-613
References		https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 https://github.com/pyload/pyload/security/advisories/GHSA-66hx-chf7-3332
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Pyload Pyload

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-21T23:41:06.258Z

Updated: 2026-04-21T23:41:06.258Z

Reserved: 2026-04-17T12:59:15.738Z

Link: CVE-2026-41133

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-22T00:16:29.153

Modified: 2026-04-22T00:16:29.153

Link: CVE-2026-41133

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T04:30:05Z

Weaknesses

CWE-613

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object