Skip to main content

Python CVE-2026-33992

| EUVDEUVD-2026-16886 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-27 https://github.com/pyload/pyload GHSA-m74m-f7cr-432x
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 27, 2026 - 18:30 euvd
EUVD-2026-16886
Analysis Generated
Mar 27, 2026 - 18:30 vuln.today
Patch released
Mar 27, 2026 - 18:30 nvd
Patch available
CVE Published
Mar 27, 2026 - 18:00 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

Summary

PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init.

Details

The vulnerability exists in PyLoad's download package functionality (/api/addPackage endpoint), which directly passes user-supplied URLs to the download engine without validating the destination. The affected code in src/pyload/webui/app/blueprints/api_blueprint.py:

python
@bp.route("/addPackage", methods=["POST"], endpoint="add_package")
@login_required
def add_package():
    name = flask.request.form["add_name"]
    links = flask.request.form["add_links"].split("\n")
# ... validation omitted ...
    api.add_package(name, links, dest)
# No URL validation

The download engine in src/pyload/core/managers/download.py accepts any URL scheme and initiates HTTP requests to arbitrary destinations, including internal network addresses and cloud metadata endpoints.

Proof of Concept

Live Demo Instance: http://143.244.141.81:8000 Credentials: pyload / pyload

  • Login into the pyload application
  • Navigate to package tab and enter the package name and fill the Link section with the following URL
http://169.254.169.254/metadata/v1.json

<img width="1851" height="786" alt="image" src="https://github.com/user-attachments/assets/18e7aedf-7663-4a57-8f3e-5200be2c958e" />

  • Now navigate to Files section and download the link.

<img width="1429" height="870" alt="image" src="https://github.com/user-attachments/assets/9b8b9cd6-afb7-461c-b058-a3cc4f26e2e6" />

  • It was observed that we are able to Read the Digital Ocean Metadata

<img width="1872" height="837" alt="image" src="https://github.com/user-attachments/assets/d30d2d74-53e9-46f8-8206-894a275ac831" />

The downloaded v1.json file contains sensitive cloud infrastructure data:

  • Droplet ID: Unique identifier for the instance
  • Network Configuration: Public/private IP addresses, VPC topology
  • Authentication Keys: Cloud provider auth tokens
  • SSH Keys: Public keys configured in droplet metadata
  • Region and Datacenter: Infrastructure location

Impact

Vulnerability Type: Server-Side Request Forgery (SSRF) CVSS Score: 7.7 - 9.1 (High to Critical, depending on cloud deployment)

Affected Systems

  • All PyLoad installations (version 0.5.0 and potentially earlier)
  • Critical Impact on cloud deployments (AWS EC2, DigitalOcean, Google Cloud, Azure) where metadata contains:
  • IAM credentials (AWS)
  • SSH private keys (configured in user-data)
  • API tokens and secrets
  • Database credentials stored in cloud-init

Attack Requirements

  • Valid PyLoad user account (any role - ADMIN or USER)
  • Network connectivity to PyLoad instance

Security Impact

  1. Cloud Metadata Theft: Complete exfiltration of instance metadata
  2. Lateral Movement: Discovery and enumeration of internal network services
  3. Credential Exposure: Theft of cloud IAM credentials, SSH keys, API tokens
  4. Infrastructure Mapping: Network topology, IP addressing, service discovery

Remediation

Implement URL validation in the download engine:

  1. Whitelist allowed URL schemes (http/https only)
  2. Block requests to private IP ranges (RFC 1918, link-local addresses)
  3. Block cloud metadata endpoints (169.254.169.254, metadata.google.internal, etc.)
  4. Implement request destination validation before initiating downloads

AnalysisAI

PyLoad download manager (version 0.5.0 and potentially earlier, distributed via pip as pyload-ng) allows authenticated users to perform Server-Side Request Forgery attacks by submitting arbitrary URLs through the /api/addPackage endpoint without validation. Attackers with valid credentials can exfiltrate cloud provider metadata from AWS EC2, DigitalOcean, Google Cloud, and Azure instances, exposing IAM credentials, SSH keys, API tokens, and internal network topology. A proof-of-concept demonstration is documented with live instance credentials, and upstream fix available (PR/commit); released patched version not independently confirmed based on GitHub commit reference b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8.

Technical ContextAI

The vulnerability affects pyload-ng distributed via pip (pkg:pip/pyload-ng), identified as CWE-918 Server-Side Request Forgery. The flaw exists in PyLoad's web API blueprint (src/pyload/webui/app/blueprints/api_blueprint.py) where the add_package function accepts user-supplied URLs and passes them directly to the download engine (src/pyload/core/managers/download.py) without validation of the destination. This allows authenticated users to specify internal network addresses including RFC 1918 private ranges, link-local addresses (169.254.x.x), and cloud metadata endpoints. The download engine initiates HTTP requests to these arbitrary destinations, making the PyLoad server act as a proxy for accessing restricted resources. Cloud metadata services exposed at 169.254.169.254 (AWS, DigitalOcean, Azure) and metadata.google.internal (GCP) contain sensitive instance credentials, configuration data, and authentication tokens that should never be accessible to application users.

RemediationAI

Upstream fix available (PR/commit); released patched version not independently confirmed based on commit reference at https://github.com/pyload/pyload/commit/b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8. Organizations should monitor the official PyLoad repository at https://github.com/pyload/pyload for release announcements containing this commit and upgrade immediately when available. Until patching is possible, implement network-layer controls to block PyLoad server egress to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), and cloud metadata endpoints using firewall rules or security groups. On cloud platforms, apply IMDSv2 (Instance Metadata Service version 2) where available on AWS to require session tokens that SSRF attacks cannot easily obtain. Restrict PyLoad user account creation and audit existing accounts to minimize insider threat surface. Consider deploying PyLoad in isolated network segments without access to production infrastructure or cloud metadata services.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-33992 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy