CVE-2026-40594
Received Received - Intake
Race Condition in pyLoad Session Cookie Handling Risks Security

Publication date: 2026-04-21

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSION_COOKIE_SECURE on every request. Because pyLoad uses the multi-threaded Cheroot WSGI server (request_queue_size=512), this creates a race condition where an attacker's request can influence the Secure flag on other users' session cookies β€” either downgrading cookie security behind a TLS proxy or causing a session denial-of-service on plain HTTP deployments. This vulnerability is fixed in 0.5.0b3.dev98.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40594
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pyload-ng_project pyload-ng to 0.5.0b3.dev69 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40594 is a moderate severity vulnerability in the pyLoad download manager related to session cookie security. The issue arises because the application reads the X-Forwarded-Proto HTTP header from any incoming request without verifying if the request comes from a trusted proxy. This header is used to dynamically set the global SESSION_COOKIE_SECURE flag in Flask on every request.

Because pyLoad uses a multi-threaded server, this global flag mutation creates a race condition where an attacker can send spoofed requests to manipulate the Secure flag on other users' session cookies. This can either downgrade the security of cookies behind a TLS proxy or cause session denial-of-service on plain HTTP deployments.

The vulnerability is exploitable without authentication and is caused by lack of origin validation for the header and unsafe global state mutation in a multi-threaded environment.

Impact Analysis

This vulnerability can impact users in two main ways:

  • Cookie Security Downgrade: An attacker can force the SESSION_COOKIE_SECURE flag to be set to false by sending spoofed requests with X-Forwarded-Proto: http. This causes legitimate users behind a TLS proxy to receive session cookies without the Secure flag, making them vulnerable to interception and session hijacking over plaintext HTTP.
  • Session Denial of Service: An attacker can force the SESSION_COOKIE_SECURE flag to true by sending spoofed requests with X-Forwarded-Proto: https in a plain HTTP deployment. Browsers then refuse to send these Secure cookies over HTTP, causing legitimate users to be silently logged out and unable to maintain sessions.

Overall, this leads to potential session hijacking or denial of service without requiring any authentication.

Detection Guidance

This vulnerability involves manipulation of the X-Forwarded-Proto HTTP header and race conditions affecting the SESSION_COOKIE_SECURE flag in pyLoad's Flask application. Detection involves monitoring for suspicious or repeated requests with spoofed X-Forwarded-Proto headers.

  • Use network traffic analysis tools (e.g., tcpdump, Wireshark) to capture HTTP requests and filter for unusual or repeated X-Forwarded-Proto headers that do not match your trusted proxy setup.
  • On the server, inspect logs for HTTP requests containing the X-Forwarded-Proto header with unexpected values (e.g., 'http' when behind TLS proxy or 'https' on plain HTTP deployments).
  • Example command to filter logs for suspicious headers: grep -i 'X-Forwarded-Proto' /path/to/pyload/logs/access.log
  • Example tcpdump command to capture HTTP traffic and filter for X-Forwarded-Proto header: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'X-Forwarded-Proto'
Mitigation Strategies

Immediate mitigation steps focus on preventing untrusted manipulation of the X-Forwarded-Proto header and avoiding global mutation of the SESSION_COOKIE_SECURE flag.

  • Remove or disable the vulnerable before_request handler that dynamically sets SESSION_COOKIE_SECURE based on the X-Forwarded-Proto header.
  • Implement Werkzeug’s ProxyFix middleware with an explicit trusted proxy count to ensure only trusted proxies influence the X-Forwarded-Proto header.
  • Set the SESSION_COOKIE_SECURE flag statically at application startup based on whether SSL is used, rather than changing it per request.
  • Modify the application to set the Secure flag on cookies individually in an after_request handler, validating the request origin properly.
  • Upgrade pyLoad to version 0.5.0b3.dev98 or later where this vulnerability is fixed.
Compliance Impact

This vulnerability allows an attacker to downgrade the security of session cookies by manipulating the Secure flag, potentially exposing session cookies over plaintext HTTP. This exposure can lead to session hijacking, which compromises user confidentiality.

Such a compromise of session confidentiality could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data in transit and at rest. Specifically, failure to secure session cookies properly may violate requirements for maintaining confidentiality and integrity of user sessions and data.

Additionally, the vulnerability can cause session denial-of-service, disrupting availability, which may also conflict with regulatory expectations for reliable access to services.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40594. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart