CVE-2026-42313
Received Received - Intake
Proxy Configuration Bypass in pyLoad

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist contains ("proxy", "username") and ("proxy", "password") β€” which protect the proxy credentials β€” but it does not include ("proxy", "enabled"), ("proxy", "host"), ("proxy", "port"), or ("proxy", "type"). Any authenticated user with the non-admin SETTINGS permission can enable proxying and point pyload at any host they control. From that point, every outbound download, captcha fetch, update check, and plugin HTTP call is transparently routed through the attacker. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-42313
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pyload pyload to 0.5.0b3.dev100 (exc)
pyload pyload-ng to 0.5.0b3.dev99 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves identifying if non-admin users with SETTINGS permission have configured proxy settings that redirect outbound traffic through an unauthorized proxy.

You can check the pyLoad configuration for proxy settings such as proxy.enabled, proxy.host, proxy.port, and proxy.type to see if they have been set to suspicious or attacker-controlled values.

On the system or network level, monitoring outbound traffic for unexpected proxy usage or unusual destinations can help detect exploitation.

  • Inspect pyLoad configuration files or API settings for proxy parameters set by non-admin users.
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture outbound traffic and check if it is routed through unexpected proxy hosts.
  • Example command to check network connections on Linux: `netstat -tnp | grep pyload` or `ss -tnp | grep pyload` to identify active connections and their destinations.
  • Example command to monitor outbound HTTP traffic: `tcpdump -i any port 80 or port 443` and analyze if traffic is routed through suspicious proxy IPs.
Executive Summary

CVE-2026-42313 is a vulnerability in pyload-ng versions up to 0.5.0b3.dev99 that allows non-admin users with the SETTINGS permission to redirect all outbound traffic through an attacker-controlled proxy.

This happens because the set_config_value() API method uses an allowlist that restricts proxy credentials but does not restrict proxy configuration options such as proxy.enabled, proxy.host, proxy.port, or proxy.type.

An authenticated non-admin user can enable the proxy and set these options to point to a server they control, causing all outbound requests (downloads, captcha fetches, updates, plugin HTTP calls) to be routed through the attacker's proxy.

This allows the attacker to intercept traffic, including URLs, headers, cookies, and response bodies, potentially stealing credentials, injecting malicious responses, or performing man-in-the-middle attacks.

Impact Analysis

This vulnerability can severely impact the confidentiality and integrity of your data.

  • An attacker can intercept all outbound traffic from pyload, including downloads, captcha fetches, update checks, and plugin HTTP calls.
  • Sensitive information such as URLs, headers, cookies, and credentials can be stolen.
  • The attacker can inject malicious responses or perform man-in-the-middle attacks.
  • This could lead to unauthorized access, data theft, or further compromise of your system.
Mitigation Strategies

The primary mitigation is to upgrade pyLoad to version 0.5.0b3.dev100 or later, where this vulnerability is fixed.

Until the upgrade can be applied, restrict the SETTINGS permission to trusted admin users only, preventing non-admin users from modifying proxy settings.

Review and reset any proxy configuration settings in pyLoad to ensure they are not pointing to unauthorized proxy servers.

Monitor outbound traffic for signs of proxy redirection and unauthorized interception.

Consider implementing network-level controls to block unauthorized proxy connections.

Compliance Impact

This vulnerability allows an authenticated non-admin user to redirect all outbound traffic through an attacker-controlled proxy, enabling interception of sensitive data such as URLs, headers, cookies, and response bodies.

Such interception and potential data theft can lead to breaches of confidentiality and integrity, which are critical requirements under common standards and regulations like GDPR and HIPAA.

If exploited, this vulnerability could result in unauthorized access to personal or protected health information, thereby causing non-compliance with these regulations and potentially leading to legal and financial consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42313. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart