CVE-2026-35464
Arbitrary Code Execution via Session Injection in pyLoad
Publication date: 2026-04-07
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pyload | pyload | to 2026-04-02 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in pyLoad, a Python-based download manager, arises from an incomplete fix to a previous security issue. The fix intended to restrict non-admin users from modifying critical configuration options by introducing an ADMIN_ONLY_OPTIONS set. However, the 'storage_folder' option was not included in this set, allowing users with SETTINGS and ADD permissions (non-admin but with specific privileges) to redirect downloads to the Flask session directory.
Because Flask stores session files in a predictable filesystem location and deserializes them using Python's pickle module on each HTTP request, an attacker can plant a malicious pickle payload as a session file. When a request with the corresponding session cookie is received, the malicious code is executed, leading to arbitrary code execution.
The attack involves changing the storage_folder to the Flask session directory, calculating the target session filename based on the session ID, hosting a malicious pickle payload named after this filename, and triggering the deserialization by sending a request with the crafted session cookie.
How can this vulnerability impact me? :
This vulnerability allows a non-admin user with SETTINGS and ADD permissions to execute arbitrary code on the pyLoad service without authentication. The attacker can run any commands as the pyLoad service user.
- Execute arbitrary system commands.
- Read environment variables, including sensitive API keys and credentials.
- Access the filesystem, including download history and user databases.
- Pivot to other network resources from the compromised system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a non-admin user with SETTINGS and ADD permissions to achieve arbitrary code execution as the pyload service user without authentication.
An attacker can execute arbitrary commands, read environment variables including API keys and credentials, access the filesystem including download history and user database, and pivot to other network resources.
Such unauthorized access and control over sensitive data and system resources can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information.
Specifically, the exposure of credentials and user data, as well as the ability to execute arbitrary code, compromises confidentiality, integrity, and availability, which are core principles in these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the pyLoad instance is vulnerable to arbitrary file write and remote code execution via the Flask session store. Specifically, you can check if the 'storage_folder' configuration option has been improperly set to the Flask session directory (e.g., /tmp/pyLoad/flask).
One approach is to inspect the current configuration value of 'storage_folder' by querying the pyLoad API or configuration files.
- Send a POST request to /api/get_config_value with 'storage_folder' as the parameter to verify its current path.
- Check for the presence of suspicious files in the Flask session directory, typically located at /tmp/pyLoad/flask/, especially files named as MD5 hashes of session IDs.
- Monitor HTTP requests for unusual session cookies named like 'pyload_session_<port>' with suspicious session IDs.
Example commands to check the Flask session directory for suspicious files:
- ls -l /tmp/pyLoad/flask/
- find /tmp/pyLoad/flask/ -type f -exec md5sum {} +
Additionally, reviewing pyLoad logs for unexpected POST requests to /api/set_config_value or /api/add_package endpoints from non-admin users can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing non-admin users from modifying the 'storage_folder' option and blocking writes to the Flask session directory.
- Apply the fix that adds 'storage_folder' to the ADMIN_ONLY_OPTIONS set, ensuring only admin users can change this critical configuration.
- Enhance path validation checks to prevent setting 'storage_folder' to temporary directories used by Flask sessions, such as /tmp/pyLoad/flask.
- Update pyLoad to the fixed version that includes commit c4cf995a2803bdbe388addfc2b0f323277efc0e1 or later.
- Restrict permissions on the Flask session directory to prevent unauthorized file writes.
In the short term, consider monitoring and blocking suspicious API requests from users with SETTINGS and ADD permissions who are not admins.