CVE-2026-35586
Received Received - Intake
Authorization Bypass in pyLoad Allows SSL Certificate Overwrite

Publication date: 2026-04-07

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all. This vulnerability is fixed in 0.5.0b3.dev97.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-35586
EUVD
EUVD-2026-19736
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pyload-ng_project pyload-ng to 0.5.0b3.dev96 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in pyLoad occurs because the authorization check for certain SSL configuration options uses incorrect option names. Specifically, the admin-only set of options incorrectly lists "ssl_cert" and "ssl_key" instead of the actual option names "ssl_certfile" and "ssl_keyfile", and it completely omits the "ssl_certchain" option.

Due to this mismatch, the admin-only check always fails for these SSL-related options, allowing any user with SETTINGS permission (not necessarily an admin) to overwrite the SSL certificate and key file paths.

This means an attacker with SETTINGS permission can supply their own SSL certificate and key file paths, which the server will load after a restart, effectively enabling the attacker to serve HTTPS with their own credentials.

Impact Analysis

This vulnerability can have serious security impacts including enabling Man-in-the-Middle (MitM) attacks by allowing an attacker to intercept and decrypt HTTPS traffic.

An attacker can steal admin credentials and session tokens, potentially escalating their privileges to full admin access.

However, exploitation requires that SSL is enabled by an admin, the attacker has the ability to place files on the server filesystem (possibly via pyLoad's download functionality), and the server is restarted to load the malicious SSL files.

Detection Guidance

This vulnerability can be detected by checking if non-admin users with SETTINGS permission are able to modify SSL certificate and key file paths in the pyLoad configuration.

Specifically, you can verify whether the ADMIN_ONLY_CORE_OPTIONS set in the pyLoad source code incorrectly uses the option names "ssl_cert" and "ssl_key" instead of the correct "ssl_certfile" and "ssl_keyfile", and whether "ssl_certchain" is missing.

To detect exploitation attempts, monitor API calls or configuration changes where users with SETTINGS permission set the options webui|ssl_certfile, webui|ssl_keyfile, or webui|ssl_certchain.

Suggested commands include:

  • Review the pyLoad source code file src/pyload/core/api/__init__.py for the ADMIN_ONLY_CORE_OPTIONS set to check for incorrect option names.
  • Audit pyLoad configuration changes or logs for modifications to webui|ssl_certfile, webui|ssl_keyfile, or webui|ssl_certchain by non-admin users.
  • Use file system commands to check the SSL certificate and key files paths for unexpected changes, for example: `ls -l /path/to/ssl_certfile` and `ls -l /path/to/ssl_keyfile`.
  • Monitor network traffic for unusual SSL certificates served by the pyLoad HTTPS server after restart.
Mitigation Strategies

Immediate mitigation steps include updating the pyLoad source code to fix the ADMIN_ONLY_CORE_OPTIONS set by replacing the incorrect option names and adding the missing option.

Specifically, update src/pyload/core/api/__init__.py so that ADMIN_ONLY_CORE_OPTIONS includes:

  • "webui|ssl_certfile" instead of "ssl_cert"
  • "webui|ssl_keyfile" instead of "ssl_key"
  • Add the missing "webui|ssl_certchain" option.

This ensures that only admin users can modify SSL certificate and key file paths.

Additionally, restrict file system permissions to prevent unauthorized users from placing malicious SSL certificate and key files on the server.

Finally, after applying the fix, restart the pyLoad server to apply the corrected authorization checks.

Compliance Impact

This vulnerability allows unauthorized users with SETTINGS permission to overwrite SSL certificate and key file paths, enabling Man-in-the-Middle (MitM) attacks that can intercept and decrypt HTTPS traffic, including admin credentials and session tokens.

Such unauthorized access and potential credential theft can lead to violations of data protection and privacy requirements found in standards like GDPR and HIPAA, which mandate the protection of sensitive data and secure communications.

By compromising the confidentiality and integrity of encrypted communications, this vulnerability undermines compliance with these regulations that require strong security controls to prevent unauthorized data access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35586. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart