pyLoad-ng CVE-2026-45306

Summary

The fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect the Flask session directory (/tmp/pyLoad/flask). An authenticated attacker can set storage_folder to the session directory and download session files of other users via /files/get/, leading to account takeover.

Details

The fix in src/pyload/core/api/__init__.py:

directories = [PKGDIR, userdir]
if any(directories[0].startswith(d) for d in directories[1:]):
    return
# blocked

But the Flask session directory is:

session_storage_path = os.path.join(api.get_cachedir(), "flask")
# = /tmp/pyLoad/flask  ← NOT blocked by fix

Attack Chain

1. Attacker (admin) sets storage_folder = /tmp/pyLoad/flask
2. Fix does NOT block this - /tmp/pyLoad/flask not inside PKGDIR or userdir
3. Attacker requests GET /files/get/<victim_session_filename>
4. send_from_directory('/tmp/pyLoad/flask', session_file) serves victim's session
5. Attacker uses stolen session → Account Takeover

PoC

<img width="592" height="408" alt="POC" src="https://github.com/user-attachments/assets/936b9f56-325b-437d-9edd-e0d5bb995187" />

import os

PKGDIR = "/usr/lib/python3/dist-packages/pyload"
userdir = os.path.expanduser("~/.pyload")
session_dir = "/tmp/pyLoad/flask"

correct_case = lambda x: x
directories = [
    correct_case(os.path.join(os.path.realpath(d), ""))
    for d in [session_dir, PKGDIR, userdir]
]
blocked = any(directories[0].startswith(d) for d in directories[1:])

print(f"Fix blocks session_dir: {blocked}")
# Output: Fix blocks session_dir: False  ← BYPASS CONFIRMED

Impact

Authenticated admin can steal sessions of other users → Account Takeover.

Suggested Fix

blocked_dirs = [PKGDIR, userdir, api.get_cachedir()]
directories = [
    os.path.join(os.path.realpath(d), "")
    for d in [value] + blocked_dirs
]
if any(directories[0].startswith(d) for d in directories[1:]):
    return