Executive Summary

CVE-2026-40071 is a permission mismatch vulnerability in the pyLoad-ng WebUI JSON API. It allows authenticated users with limited permissions (ADD or DELETE) to perform actions that should require higher MODIFY permissions. Specifically, some WebUI JSON endpoints enforce weaker permission checks than the core API methods they call, enabling unauthorized execution of MODIFY-level operations.

• The endpoints /json/package_order and /json/link_order require only ADD permission but invoke operations that need MODIFY permission.
• The endpoint /json/abort_link requires only DELETE permission but calls an operation requiring MODIFY permission.

This flaw allows low-privileged users to reorder download packages and files or abort downloads without proper authorization, violating pyLoad's intended permission model.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthorized users with limited permissions to perform actions that should be restricted, leading to integrity and availability issues.

• Integrity Impact: Unauthorized reordering of download queues and files by users without MODIFY permission.
• Availability Impact: Unauthorized aborting of active downloads by users without MODIFY permission.

The scope of the impact is horizontal privilege escalation among authenticated non-admin users, meaning no admin takeover is possible but users can perform unauthorized modifications within their environment.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing whether users with limited permissions (ADD or DELETE) can perform MODIFY-level operations via the WebUI JSON API endpoints.

Specifically, you can attempt HTTP POST requests to the following endpoints using credentials of a low-privileged user:

• POST /json/package_order to test reordering packages
• POST /json/link_order to test reordering files
• POST /json/abort_link to test aborting downloads

If these requests succeed (HTTP 200) and the operations are executed despite the user lacking MODIFY permission, the vulnerability is present.

Example command using curl for a user with ADD permission to test package reorder:

• curl -X POST -u user:add_permission_password https://your-pyload-instance/json/package_order -d '{"order": [...]}'

Similarly, test the other endpoints with appropriate user credentials and payloads to confirm unauthorized MODIFY operations.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade pyLoad-ng to version 0.5.0b3.dev97 or later, where this permission enforcement issue is fixed.

Until the upgrade can be applied, consider restricting access to the WebUI JSON API endpoints to trusted users only, especially limiting users with ADD or DELETE permissions from accessing these endpoints.

Additionally, review and tighten user permissions to minimize the number of users with ADD or DELETE permissions who could exploit this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in pyLoad-ng allows authenticated low-privileged users to perform unauthorized MODIFY operations, such as reordering download queues and aborting downloads, which impacts the integrity and availability of the system.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, improper authorization and permission bypass vulnerabilities can potentially lead to non-compliance with such regulations if they result in unauthorized data modification or service disruption.

Specifically, regulations like GDPR and HIPAA require appropriate access controls to protect data integrity and availability. This vulnerability violates the intended permission model, which could be seen as a failure to enforce adequate access controls.

Useful 0 Not Useful 0