CVE-2026-42313
Proxy Configuration Bypass in pyLoad
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pyload | pyload | to 0.5.0b3.dev100 (exc) |
| pyload | pyload-ng | to 0.5.0b3.dev99 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-441 | The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. |
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if non-admin users with SETTINGS permission have configured proxy settings that redirect outbound traffic through an unauthorized proxy.
You can check the pyLoad configuration for proxy settings such as proxy.enabled, proxy.host, proxy.port, and proxy.type to see if they have been set to suspicious or attacker-controlled values.
On the system or network level, monitoring outbound traffic for unexpected proxy usage or unusual destinations can help detect exploitation.
- Inspect pyLoad configuration files or API settings for proxy parameters set by non-admin users.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture outbound traffic and check if it is routed through unexpected proxy hosts.
- Example command to check network connections on Linux: `netstat -tnp | grep pyload` or `ss -tnp | grep pyload` to identify active connections and their destinations.
- Example command to monitor outbound HTTP traffic: `tcpdump -i any port 80 or port 443` and analyze if traffic is routed through suspicious proxy IPs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated non-admin user to redirect all outbound traffic through an attacker-controlled proxy, enabling interception of sensitive data such as URLs, headers, cookies, and response bodies.
Such interception and potential data theft can lead to breaches of confidentiality and integrity, which are critical requirements under common standards and regulations like GDPR and HIPAA.
If exploited, this vulnerability could result in unauthorized access to personal or protected health information, thereby causing non-compliance with these regulations and potentially leading to legal and financial consequences.
Can you explain this vulnerability to me?
CVE-2026-42313 is a vulnerability in pyload-ng versions up to 0.5.0b3.dev99 that allows non-admin users with the SETTINGS permission to redirect all outbound traffic through an attacker-controlled proxy.
This happens because the set_config_value() API method uses an allowlist that restricts proxy credentials but does not restrict proxy configuration options such as proxy.enabled, proxy.host, proxy.port, or proxy.type.
An authenticated non-admin user can enable the proxy and set these options to point to a server they control, causing all outbound requests (downloads, captcha fetches, updates, plugin HTTP calls) to be routed through the attacker's proxy.
This allows the attacker to intercept traffic, including URLs, headers, cookies, and response bodies, potentially stealing credentials, injecting malicious responses, or performing man-in-the-middle attacks.
How can this vulnerability impact me? :
This vulnerability can severely impact the confidentiality and integrity of your data.
- An attacker can intercept all outbound traffic from pyload, including downloads, captcha fetches, update checks, and plugin HTTP calls.
- Sensitive information such as URLs, headers, cookies, and credentials can be stolen.
- The attacker can inject malicious responses or perform man-in-the-middle attacks.
- This could lead to unauthorized access, data theft, or further compromise of your system.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade pyLoad to version 0.5.0b3.dev100 or later, where this vulnerability is fixed.
Until the upgrade can be applied, restrict the SETTINGS permission to trusted admin users only, preventing non-admin users from modifying proxy settings.
Review and reset any proxy configuration settings in pyLoad to ensure they are not pointing to unauthorized proxy servers.
Monitor outbound traffic for signs of proxy redirection and unauthorized interception.
Consider implementing network-level controls to block unauthorized proxy connections.