Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist contains ("proxy", "username") and ("proxy", "password") — which protect the proxy credentials — but it does not include ("proxy", "enabled"), ("proxy", "host"), ("proxy", "port"), or ("proxy", "type"). Any authenticated user with the non-admin SETTINGS permission can enable proxying and point pyload at any host they control. From that point, every outbound download, captcha fetch, update check, and plugin HTTP call is transparently routed through the attacker. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.
Published: 2026-05-11
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in pyLoad’s set_config_value() API, which incorrectly filters security-sensitive options with a manual allowlist. Users possessing the SETTINGS permission but not admin rights can enable the proxy, specify the host, port and type, and effectively reroute all pyLoad outbound traffic through an attacker‑controlled proxy. This exposes sensitive data such as download URLs, captcha submissions, update checks and plugin HTTP requests to the attacker, enabling data exfiltration, credential theft and possibly remote code execution if the attacker serves malicious content. The weakness is categorized by CWE-441, CWE-863 and CWE-918.

Affected Systems

pyLoad installations versioned before 0.5.0b3.dev100 are affected. Any user granted non‑admin SETTINGS permission on those deployments can trigger the flaw. The upstream pyload project is the vendor, and the fix is distributed in the 0.5.0b3.dev100 release.

Risk and Exploitability

The CVSS score of 8.3 classifies the vulnerability as high severity. EPSS data is unavailable, but the flaw is exploitable by any authenticated non‑admin user who can call the set_config_value() API, a common operation in regular pyLoad usage. Since the bug allows an attacker to redirect all external traffic, the risk of credential compromise or interception is significant. The vulnerability is not listed in CISA’s KEV catalog, but the high impact and wide user base warrant immediate attention. The most likely attack vector is through the privileged API call, which the affected users can perform from any client with authentication to the pyLoad instance.

Generated by OpenCVE AI on May 11, 2026 at 18:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pyLoad to version 0.5.0b3.dev100 or later, where the proxy allowlist has been corrected.
  • Revoke or restrict the SETTINGS permission from non‑admin users; ensure only trusted administrators hold this privilege.
  • Configure the host’s firewall or the pyLoad environment to block outbound connections to arbitrary external hosts, limiting the ability to point the proxy at an attacker controlled server.

Generated by OpenCVE AI on May 11, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pg67-9wjv-mr85 pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Pyload
Pyload pyload
Vendors & Products Pyload
Pyload pyload

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist contains ("proxy", "username") and ("proxy", "password") — which protect the proxy credentials — but it does not include ("proxy", "enabled"), ("proxy", "host"), ("proxy", "port"), or ("proxy", "type"). Any authenticated user with the non-admin SETTINGS permission can enable proxying and point pyload at any host they control. From that point, every outbound download, captcha fetch, update check, and plugin HTTP call is transparently routed through the attacker. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.
Title pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy
Weaknesses CWE-441
CWE-863
CWE-918
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Pyload Pyload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:51:11.248Z

Reserved: 2026-04-26T12:37:18.169Z

Link: CVE-2026-42313

cve-icon Vulnrichment

Updated: 2026-05-12T13:51:06.032Z

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:34.980

Modified: 2026-05-12T14:17:04.983

Link: CVE-2026-42313

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T18:45:25Z

Weaknesses