CVE-2026-35459
Received Received - Intake
SSRF Bypass via Redirects in pyLoad Download Manager

Publication date: 2026-04-06

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are never validated against the SSRF filter. An authenticated user with ADD permission can bypass the SSRF fix by submitting a URL that redirects to an internal address.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-20
Generated
2026-05-07
AI Q&A
2026-04-06
EPSS Evaluated
2026-05-05
NVD
CVE-2026-35459
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pyload-ng_project pyload-ng to 0.5.0b3.dev97 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-35459 is a Server-Side Request Forgery (SSRF) vulnerability in the pyLoad download manager (version 0.5.0b3 and earlier). Although an earlier fix (CVE-2026-33992) added validation to check the hostname of the initial download URL to prevent SSRF, this vulnerability bypasses that fix by exploiting HTTP redirects.

The pycurl library used by pyLoad is configured to automatically follow HTTP redirects (up to 10 redirects). However, the targets of these redirects are not validated against the SSRF filter. An authenticated user with ADD permission can submit a URL that initially passes validation but redirects to an internal or private IP address, allowing access to internal network resources.


How can this vulnerability impact me? :

This vulnerability allows an authenticated user with ADD permission to bypass SSRF protections and access sensitive internal resources by submitting URLs that redirect to internal IP addresses or cloud metadata endpoints.

  • Access to cloud metadata services (e.g., AWS, GCP, DigitalOcean, Azure), potentially exposing IAM credentials and instance identity.
  • Access to internal network services within private IP ranges such as 10.x.x.x, 172.16.x.x, and 192.168.x.x.
  • Access to localhost services (127.0.0.1).

Overall, this can lead to unauthorized disclosure of sensitive internal information and compromise of internal network security.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this SSRF vulnerability involves monitoring for HTTP requests that follow redirects to internal or private IP addresses, which bypass the initial hostname validation.

Since pyLoad uses pycurl with automatic redirect following enabled (FOLLOWLOCATION=1 and MAXREDIRS=10), you can detect suspicious activity by capturing and analyzing HTTP traffic for redirects to private IP ranges such as 10.x.x.x, 172.16.x.x, 192.168.x.x, or localhost (127.0.0.1).

Suggested commands to detect such activity include using network traffic capture tools like tcpdump or Wireshark to filter HTTP redirect responses and subsequent requests to private IPs.

  • tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Location:'
  • Use Wireshark to filter HTTP response codes 3xx and inspect the 'Location' header for redirects to private IP addresses.

Additionally, reviewing pyLoad logs for error messages indicating aborted downloads due to server-side host refusal (HTTP response code 42) can help identify attempts blocked by the patch.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include disabling automatic HTTP redirect following in pycurl to prevent unvalidated redirects to internal IP addresses.

  • Set pycurl's FOLLOWLOCATION option to 0 to stop automatic redirect following.
  • Implement manual handling of HTTP redirects with validation of each redirect target's IP address to ensure it is not a private or internal address.
  • Restrict allowed redirect protocols to HTTP and HTTPS only by setting REDIR_PROTOCOLS in pycurl.
  • Apply or upgrade to the fixed version of pyLoad that includes the pre-request callback IP validation mechanism blocking private IP addresses.

These steps help prevent authenticated users from exploiting redirect-based SSRF bypasses and protect internal network resources.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The CVE-2026-35459 vulnerability allows an authenticated user with ADD permission to bypass SSRF protections and access internal network resources, including sensitive cloud metadata services and internal IP ranges.

This unauthorized access to internal or sensitive data could potentially lead to exposure of confidential information, which may impact compliance with data protection regulations such as GDPR or HIPAA that require safeguarding sensitive personal or health-related data.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart