CVE-2026-42312
Received Received - Intake
Authentication Bypass via SSL Verification Disable in pyLoad

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option ("general", "ssl_verify") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 β€” TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-42312
EUVD
EUVD-2026-29120
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pyload pyload to 0.5.0b3.dev100 (exc)
pyload pyload-ng to 0.5.0b3.dev99 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42312 is a vulnerability in pyload-ng versions up to 0.5.0b3.dev99 that allows non-admin users with the SETTINGS permission to disable outbound TLS peer verification by setting the ssl_verify configuration option to "off."

This happens because the ssl_verify option was not included in the ADMIN_ONLY_CORE_OPTIONS allowlist, which is supposed to restrict security-sensitive settings to admin users only.

As a result, an attacker on the network path can intercept and forge certificates for any HTTPS endpoint accessed by pyload, enabling data interception or manipulation.

Compliance Impact

This vulnerability allows an attacker to intercept and manipulate data by disabling TLS certificate validation, which can lead to exposure of sensitive information.

Such exposure and potential data manipulation can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require protection of data confidentiality and integrity during transmission.

By enabling man-in-the-middle attacks, the vulnerability undermines the security controls necessary to meet these regulatory requirements.

Impact Analysis

This vulnerability can lead to a man-in-the-middle attack where an attacker intercepts and manipulates data transmitted by pyload.

  • Sensitive data such as downloads, captcha fetches, and update checks can be exposed or altered.
  • TLS peer and hostname verification are disabled, removing protections against forged certificates.

The severity is rated as Moderate with a CVSS score of 6.8, due to the low privilege required to exploit it and the high impact on confidentiality and integrity.

Detection Guidance

This vulnerability can be detected by checking if any non-admin user with SETTINGS permission has set the configuration option general.ssl_verify to off in pyload.

You can inspect the pyload configuration files or query the pyload API to verify the value of ssl_verify.

Additionally, monitoring outbound pycurl requests for disabled SSL verification flags (SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0) can help detect exploitation.

  • Check pyload configuration for ssl_verify setting: grep -r 'ssl_verify' /path/to/pyload/config
  • Use pyload API or command line to query current settings if available.
  • Monitor network traffic for suspicious TLS connections that do not perform proper certificate verification.
Mitigation Strategies

The immediate mitigation is to upgrade pyload to version 0.5.0b3.dev100 or later, where this vulnerability is fixed.

Until the upgrade can be performed, restrict non-admin users from having the SETTINGS permission to prevent them from disabling ssl_verify.

Review and enforce the allowlist ADMIN_ONLY_CORE_OPTIONS to ensure that security-sensitive options like ssl_verify cannot be modified by unauthorized users.

Monitor and audit configuration changes related to ssl_verify to detect any unauthorized modifications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42312. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart