CVE-2026-33992
Received Received - Intake
Server-Side Request Forgery in pyLoad Download Engine Exposes Metadata

Publication date: 2026-03-27

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33992
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pyload pyload 0.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in pyLoad, a Python-based download manager. Before version 0.5.0b3.dev97, pyLoad's download engine would accept arbitrary URLs without validating them. This flaw allows an authenticated attacker to perform Server-Side Request Forgery (SSRF) attacks.

By exploiting this, the attacker can access internal network services and extract sensitive metadata from cloud providers.

For example, on DigitalOcean droplets, this could expose critical infrastructure information such as droplet ID, network configuration, region, authentication keys, and SSH keys configured via user-data or cloud-init.

The vulnerability was fixed in version 0.5.0b3.dev97.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to internal network services and leakage of sensitive infrastructure data.

  • Exposure of cloud provider metadata such as droplet ID, network configuration, and region.
  • Disclosure of authentication keys and SSH keys configured in user-data or cloud-init.

Such exposure can lead to further compromise of the affected systems and infrastructure.

Mitigation Strategies

To mitigate this vulnerability, upgrade pyLoad to version 0.5.0b3.dev97 or later, which contains a patch that validates URLs to prevent Server-Side Request Forgery (SSRF) attacks.

Additionally, restrict access to the pyLoad application to trusted users only, as exploitation requires authentication.

Compliance Impact

The vulnerability in pyLoad allows an authenticated attacker to perform Server-Side Request Forgery (SSRF) attacks, potentially accessing internal network services and exfiltrating sensitive cloud provider metadata, including authentication keys and SSH keys.

This exposure of sensitive infrastructure data could lead to unauthorized access to personal or protected information, which may impact compliance with standards and regulations such as GDPR and HIPAA that require protection of sensitive data and secure access controls.

However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33992. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart