Executive Summary

CVE-2026-35187 is a Server-Side Request Forgery (SSRF) vulnerability in the pyLoad download manager, specifically in the parse_urls API function. This function fetches arbitrary URLs server-side without validating the URL, restricting protocols, or blacklisting IP addresses.

An authenticated user with ADD permission can exploit this by making HTTP/HTTPS requests to internal network resources and cloud metadata endpoints, read local files using the file:// protocol, interact with internal services via gopher:// and dict:// protocols, and enumerate file existence through error-based responses.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including confidentiality loss, internal network reconnaissance, and potential data exfiltration.

• An attacker can read sensitive local files on the server.
• They can access internal network resources and cloud metadata endpoints, potentially exposing sensitive infrastructure information.
• The attacker can interact with internal services such as Redis or memcached, which may lead to remote code execution.
• They can perform internal port scanning and enumerate file existence, aiding further attacks.
• Data can be exfiltrated out-of-band via DNS or HTTP callbacks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized HTTP/HTTPS requests initiated by authenticated users with ADD permissions to internal network resources, cloud metadata endpoints, or local file accesses via the file:// protocol.

Detection can include looking for signs of Server-Side Request Forgery (SSRF) such as requests to internal IP addresses (e.g., 169.254.169.254 for cloud metadata), or use of uncommon protocols like gopher:// and dict://.

Suggested commands to detect exploitation attempts include network monitoring commands and logs inspection, for example:

• Use tcpdump or Wireshark to capture outgoing HTTP/HTTPS requests from the pyLoad server to internal IP ranges: tcpdump -i eth0 host 169.254.169.254 or tcpdump -i eth0 dst net 10.0.0.0/8
• Check application logs for calls to the parse_urls API with suspicious URLs containing file://, gopher://, or dict:// protocols.
• Use grep or similar tools to search pyLoad logs for error patterns indicating file existence enumeration or internal port scanning.
• Monitor DNS logs for unusual outbound DNS queries that could indicate out-of-band data exfiltration.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the official patch that enforces strict URL validation and protocol restrictions in the parse_urls function.

Specifically, the patch restricts URL schemes to only http and https, and validates that hostnames resolve exclusively to globally routable IP addresses, blocking private, loopback, link-local, or reserved IPs.

If patching is not immediately possible, restrict access to the pyLoad API to trusted users only, especially limiting those with ADD permissions.

Additionally, implement network-level controls such as firewall rules to block outgoing requests from the pyLoad server to internal IP ranges and cloud metadata endpoints.

Monitor and audit usage of the parse_urls API to detect and respond to suspicious activity promptly.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in pyLoad allows an authenticated user with minimal privileges to perform server-side request forgery (SSRF) attacks that can lead to confidentiality loss by reading local files and accessing internal network resources, including cloud metadata endpoints.

Such unauthorized access and data disclosure can result in exposure of sensitive information, which may violate data protection regulations like GDPR and HIPAA that require strict controls on personal and sensitive data confidentiality.

Therefore, this vulnerability poses a significant risk to compliance with these standards by enabling potential data breaches and unauthorized internal network reconnaissance.

Useful 0 Not Useful 0