Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
The fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect the Flask session directory (/tmp/pyLoad/flask). An authenticated attacker can set storage_folder to the session directory and download session files of other users via /files/get/, leading to account takeover.
Details
The fix in src/pyload/core/api/__init__.py:
directories = [PKGDIR, userdir]
if any(directories[0].startswith(d) for d in directories[1:]):
return
# blockedBut the Flask session directory is:
session_storage_path = os.path.join(api.get_cachedir(), "flask")
# = /tmp/pyLoad/flask ← NOT blocked by fixAttack Chain
- Attacker (admin) sets
storage_folder = /tmp/pyLoad/flask - Fix does NOT block this -
/tmp/pyLoad/flasknot insidePKGDIRoruserdir - Attacker requests
GET /files/get/<victim_session_filename> send_from_directory('/tmp/pyLoad/flask', session_file)serves victim's session- Attacker uses stolen session → Account Takeover
PoC
<img width="592" height="408" alt="POC" src="https://github.com/user-attachments/assets/936b9f56-325b-437d-9edd-e0d5bb995187" />
import os
PKGDIR = "/usr/lib/python3/dist-packages/pyload"
userdir = os.path.expanduser("~/.pyload")
session_dir = "/tmp/pyLoad/flask"
correct_case = lambda x: x
directories = [
correct_case(os.path.join(os.path.realpath(d), ""))
for d in [session_dir, PKGDIR, userdir]
]
blocked = any(directories[0].startswith(d) for d in directories[1:])
print(f"Fix blocks session_dir: {blocked}")
# Output: Fix blocks session_dir: False ← BYPASS CONFIRMEDImpact
Authenticated admin can steal sessions of other users → Account Takeover.
Suggested Fix
blocked_dirs = [PKGDIR, userdir, api.get_cachedir()]
directories = [
os.path.join(os.path.realpath(d), "")
for d in [value] + blocked_dirs
]
if any(directories[0].startswith(d) for d in directories[1:]):
returnAnalysisAI
Authenticated admin users in pyLoad-ng can bypass the CVE-2026-33509 fix by setting the storage_folder to the Flask session directory (/tmp/pyLoad/flask), then downloading and reusing session files of other users via the /files/get/ endpoint to achieve account takeover. The original patch failed to block access to the session cache directory, leaving it accessible through the directory traversal protection bypass. Publicly available proof-of-concept code confirms the bypass is functional.
Technical ContextAI
pyLoad-ng is a Python-based download manager with a Flask web interface that stores user session files in /tmp/pyLoad/flask. The vulnerability stems from an incomplete patch to CVE-2026-33509 in src/pyload/core/api/__init__.py, which validates that storage_folder cannot be set inside PKGDIR (/usr/lib/python3/dist-packages/pyload) or userdir (~/.pyload), but fails to block the Flask session cache directory (api.get_cachedir()/flask). The /files/get/ endpoint uses send_from_directory() to serve files from the configured storage_folder without proper path validation against all sensitive directories. CWE-706 (Incorrect Comparison) describes the root cause: the comparison logic is incomplete, missing a critical directory from the allowlist of blocked paths. The underlying issue is path traversal control bypass combined with improper access control to sensitive system directories.
RemediationAI
Apply the vendor-provided patch by modifying src/pyload/core/api/__init__.py to include api.get_cachedir() in the list of blocked directories. The corrected code should validate that storage_folder does not reside within PKGDIR, userdir, or api.get_cachedir(). Exact patched version confirmation is pending from the pyLoad project; check https://github.com/pyload/pyload/security/advisories/GHSA-w727-595x-pc3r for the official patch release. As an interim compensating control on Linux systems, restrict write permissions on /tmp/pyLoad/flask to the pyLoad process user only and prevent unprivileged users from modifying storage_folder settings through role-based access control. Disable the /files/get/ endpoint entirely if not required for legitimate use, or implement allowlist-based path validation that prevents access to any directory outside a designated safe directory. Monitor Flask session files in /tmp/pyLoad/flask for unauthorized access or deletion, as these may indicate exploitation attempts.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32958
GHSA-w727-595x-pc3r