Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option ("general", "ssl_verify") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 — TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.
Published: 2026-05-11
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in pyLoad’s set_config_value API, which exposes the ssl_verify setting to users with the SETTINGS permission. By setting general.ssl_verify to off, these users can globally disable SSL/TLS peer verification for all outbound pycurl requests. This removes certificate checks and allows an attacker who can position themselves on the network path to present forged certificates, enabling a man‑in‑the‑middle attack that can compromise confidentiality, integrity and potentially availability of the downloaded content. The flaw is rooted in CWE‑295, CWE‑306 and CWE‑863.

Affected Systems

All installations of pyLoad older than version 0.5.0b3.dev100 are affected. The issue does not require elevated privileges beyond a normal authenticated user with the SETTINGS role, so any user who has been granted that permission—whether intentionally or via credential compromise—can exploit the flaw. The affected product is the pyLoad download manager, both the core application and any components that perform outbound downloads.

Risk and Exploitability

The CVSS score of 6.8 represents a medium severity risk. The EPSS score is not available, so the current predicted exploitation probability is unknown. The vulnerability is not yet listed in the CISA KEV catalog. An attacker must first obtain authenticated access with SETTINGS permission; once gained, the vulnerability is straightforward to exploit by toggling ssl_verify and performing any outbound request that the user initiates. No privileged escalation is required beyond the existing authenticated session, and the attack can be carried out in an on‑path or intercepting environment to supply forged certificates.

Generated by OpenCVE AI on May 11, 2026 at 18:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to pyLoad version 0.5.0b3.dev100 or later, where the ssl_verify setting is removed from the allowlist.
  • Restrict the SETTINGS permission to trusted administrative accounts or disable the permission for ordinary users, reducing the number of accounts that can change SSL verification settings.
  • As an interim measure, manually set the "general.ssl_verify" configuration option to True and monitor system logs for unauthorized changes; if possible, disable or restrict the set_config_value endpoint for non‑admin users.

Generated by OpenCVE AI on May 11, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ccxc-x975-4hh9 pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
History

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Pyload
Pyload pyload
Vendors & Products Pyload
Pyload pyload

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option ("general", "ssl_verify") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 — TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.
Title pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification
Weaknesses CWE-295
CWE-306
CWE-863
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Pyload Pyload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T19:06:12.697Z

Reserved: 2026-04-26T12:37:18.169Z

Link: CVE-2026-42312

cve-icon Vulnrichment

Updated: 2026-05-11T18:50:43.772Z

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:34.833

Modified: 2026-05-11T20:25:42.430

Link: CVE-2026-42312

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T18:45:25Z

Weaknesses