CVE-2026-40594
Race Condition in pyLoad Session Cookie Handling Risks Security
Publication date: 2026-04-21
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pyload-ng_project | pyload-ng | to 0.5.0b3.dev69 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40594 is a moderate severity vulnerability in the pyLoad download manager related to session cookie security. The issue arises because the application reads the X-Forwarded-Proto HTTP header from any incoming request without verifying if the request comes from a trusted proxy. This header is used to dynamically set the global SESSION_COOKIE_SECURE flag in Flask on every request.
Because pyLoad uses a multi-threaded server, this global flag mutation creates a race condition where an attacker can send spoofed requests to manipulate the Secure flag on other users' session cookies. This can either downgrade the security of cookies behind a TLS proxy or cause session denial-of-service on plain HTTP deployments.
The vulnerability is exploitable without authentication and is caused by lack of origin validation for the header and unsafe global state mutation in a multi-threaded environment.
How can this vulnerability impact me? :
This vulnerability can impact users in two main ways:
- Cookie Security Downgrade: An attacker can force the SESSION_COOKIE_SECURE flag to be set to false by sending spoofed requests with X-Forwarded-Proto: http. This causes legitimate users behind a TLS proxy to receive session cookies without the Secure flag, making them vulnerable to interception and session hijacking over plaintext HTTP.
- Session Denial of Service: An attacker can force the SESSION_COOKIE_SECURE flag to true by sending spoofed requests with X-Forwarded-Proto: https in a plain HTTP deployment. Browsers then refuse to send these Secure cookies over HTTP, causing legitimate users to be silently logged out and unable to maintain sessions.
Overall, this leads to potential session hijacking or denial of service without requiring any authentication.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves manipulation of the X-Forwarded-Proto HTTP header and race conditions affecting the SESSION_COOKIE_SECURE flag in pyLoad's Flask application. Detection involves monitoring for suspicious or repeated requests with spoofed X-Forwarded-Proto headers.
- Use network traffic analysis tools (e.g., tcpdump, Wireshark) to capture HTTP requests and filter for unusual or repeated X-Forwarded-Proto headers that do not match your trusted proxy setup.
- On the server, inspect logs for HTTP requests containing the X-Forwarded-Proto header with unexpected values (e.g., 'http' when behind TLS proxy or 'https' on plain HTTP deployments).
- Example command to filter logs for suspicious headers: grep -i 'X-Forwarded-Proto' /path/to/pyload/logs/access.log
- Example tcpdump command to capture HTTP traffic and filter for X-Forwarded-Proto header: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'X-Forwarded-Proto'
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps focus on preventing untrusted manipulation of the X-Forwarded-Proto header and avoiding global mutation of the SESSION_COOKIE_SECURE flag.
- Remove or disable the vulnerable before_request handler that dynamically sets SESSION_COOKIE_SECURE based on the X-Forwarded-Proto header.
- Implement Werkzeugβs ProxyFix middleware with an explicit trusted proxy count to ensure only trusted proxies influence the X-Forwarded-Proto header.
- Set the SESSION_COOKIE_SECURE flag statically at application startup based on whether SSL is used, rather than changing it per request.
- Modify the application to set the Secure flag on cookies individually in an after_request handler, validating the request origin properly.
- Upgrade pyLoad to version 0.5.0b3.dev98 or later where this vulnerability is fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to downgrade the security of session cookies by manipulating the Secure flag, potentially exposing session cookies over plaintext HTTP. This exposure can lead to session hijacking, which compromises user confidentiality.
Such a compromise of session confidentiality could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data in transit and at rest. Specifically, failure to secure session cookies properly may violate requirements for maintaining confidentiality and integrity of user sessions and data.
Additionally, the vulnerability can cause session denial-of-service, disrupting availability, which may also conflict with regulatory expectations for reliable access to services.