Executive Summary

CVE-2026-35459 is a Server-Side Request Forgery (SSRF) vulnerability in the pyLoad download manager (version 0.5.0b3 and earlier). Although an earlier fix (CVE-2026-33992) added validation to check the hostname of the initial download URL to prevent SSRF, this vulnerability bypasses that fix by exploiting HTTP redirects.

The pycurl library used by pyLoad is configured to automatically follow HTTP redirects (up to 10 redirects). However, the targets of these redirects are not validated against the SSRF filter. An authenticated user with ADD permission can submit a URL that initially passes validation but redirects to an internal or private IP address, allowing access to internal network resources.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated user with ADD permission to bypass SSRF protections and access sensitive internal resources by submitting URLs that redirect to internal IP addresses or cloud metadata endpoints.

• Access to cloud metadata services (e.g., AWS, GCP, DigitalOcean, Azure), potentially exposing IAM credentials and instance identity.
• Access to internal network services within private IP ranges such as 10.x.x.x, 172.16.x.x, and 192.168.x.x.
• Access to localhost services (127.0.0.1).

Overall, this can lead to unauthorized disclosure of sensitive internal information and compromise of internal network security.

Useful 0 Not Useful 0

Detection Guidance

Detection of this SSRF vulnerability involves monitoring for HTTP requests that follow redirects to internal or private IP addresses, which bypass the initial hostname validation.

Since pyLoad uses pycurl with automatic redirect following enabled (FOLLOWLOCATION=1 and MAXREDIRS=10), you can detect suspicious activity by capturing and analyzing HTTP traffic for redirects to private IP ranges such as 10.x.x.x, 172.16.x.x, 192.168.x.x, or localhost (127.0.0.1).

Suggested commands to detect such activity include using network traffic capture tools like tcpdump or Wireshark to filter HTTP redirect responses and subsequent requests to private IPs.

• tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Location:'
• Use Wireshark to filter HTTP response codes 3xx and inspect the 'Location' header for redirects to private IP addresses.

Additionally, reviewing pyLoad logs for error messages indicating aborted downloads due to server-side host refusal (HTTP response code 42) can help identify attempts blocked by the patch.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include disabling automatic HTTP redirect following in pycurl to prevent unvalidated redirects to internal IP addresses.

• Set pycurl's FOLLOWLOCATION option to 0 to stop automatic redirect following.
• Implement manual handling of HTTP redirects with validation of each redirect target's IP address to ensure it is not a private or internal address.
• Restrict allowed redirect protocols to HTTP and HTTPS only by setting REDIR_PROTOCOLS in pycurl.
• Apply or upgrade to the fixed version of pyLoad that includes the pre-request callback IP validation mechanism blocking private IP addresses.

These steps help prevent authenticated users from exploiting redirect-based SSRF bypasses and protect internal network resources.

Useful 0 Not Useful 0

Compliance Impact

The CVE-2026-35459 vulnerability allows an authenticated user with ADD permission to bypass SSRF protections and access internal network resources, including sensitive cloud metadata services and internal IP ranges.

This unauthorized access to internal or sensitive data could potentially lead to exposure of confidential information, which may impact compliance with data protection regulations such as GDPR or HIPAA that require safeguarding sensitive personal or health-related data.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.

Useful 0 Not Useful 0