CVE-2026-35586
Authorization Bypass in pyLoad Allows SSL Certificate Overwrite
Publication date: 2026-04-07
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pyload-ng_project | pyload-ng | to 0.5.0b3.dev96 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized users with SETTINGS permission to overwrite SSL certificate and key file paths, enabling Man-in-the-Middle (MitM) attacks that can intercept and decrypt HTTPS traffic, including admin credentials and session tokens.
Such unauthorized access and potential credential theft can lead to violations of data protection and privacy requirements found in standards like GDPR and HIPAA, which mandate the protection of sensitive data and secure communications.
By compromising the confidentiality and integrity of encrypted communications, this vulnerability undermines compliance with these regulations that require strong security controls to prevent unauthorized data access.
Can you explain this vulnerability to me?
The vulnerability in pyLoad occurs because the authorization check for certain SSL configuration options uses incorrect option names. Specifically, the admin-only set of options incorrectly lists "ssl_cert" and "ssl_key" instead of the actual option names "ssl_certfile" and "ssl_keyfile", and it completely omits the "ssl_certchain" option.
Due to this mismatch, the admin-only check always fails for these SSL-related options, allowing any user with SETTINGS permission (not necessarily an admin) to overwrite the SSL certificate and key file paths.
This means an attacker with SETTINGS permission can supply their own SSL certificate and key file paths, which the server will load after a restart, effectively enabling the attacker to serve HTTPS with their own credentials.
How can this vulnerability impact me? :
This vulnerability can have serious security impacts including enabling Man-in-the-Middle (MitM) attacks by allowing an attacker to intercept and decrypt HTTPS traffic.
An attacker can steal admin credentials and session tokens, potentially escalating their privileges to full admin access.
However, exploitation requires that SSL is enabled by an admin, the attacker has the ability to place files on the server filesystem (possibly via pyLoad's download functionality), and the server is restarted to load the malicious SSL files.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if non-admin users with SETTINGS permission are able to modify SSL certificate and key file paths in the pyLoad configuration.
Specifically, you can verify whether the ADMIN_ONLY_CORE_OPTIONS set in the pyLoad source code incorrectly uses the option names "ssl_cert" and "ssl_key" instead of the correct "ssl_certfile" and "ssl_keyfile", and whether "ssl_certchain" is missing.
To detect exploitation attempts, monitor API calls or configuration changes where users with SETTINGS permission set the options webui|ssl_certfile, webui|ssl_keyfile, or webui|ssl_certchain.
Suggested commands include:
- Review the pyLoad source code file src/pyload/core/api/__init__.py for the ADMIN_ONLY_CORE_OPTIONS set to check for incorrect option names.
- Audit pyLoad configuration changes or logs for modifications to webui|ssl_certfile, webui|ssl_keyfile, or webui|ssl_certchain by non-admin users.
- Use file system commands to check the SSL certificate and key files paths for unexpected changes, for example: `ls -l /path/to/ssl_certfile` and `ls -l /path/to/ssl_keyfile`.
- Monitor network traffic for unusual SSL certificates served by the pyLoad HTTPS server after restart.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the pyLoad source code to fix the ADMIN_ONLY_CORE_OPTIONS set by replacing the incorrect option names and adding the missing option.
Specifically, update src/pyload/core/api/__init__.py so that ADMIN_ONLY_CORE_OPTIONS includes:
- "webui|ssl_certfile" instead of "ssl_cert"
- "webui|ssl_keyfile" instead of "ssl_key"
- Add the missing "webui|ssl_certchain" option.
This ensures that only admin users can modify SSL certificate and key file paths.
Additionally, restrict file system permissions to prevent unauthorized users from placing malicious SSL certificate and key files on the server.
Finally, after applying the fix, restart the pyLoad server to apply the corrected authorization checks.