CVE-2026-45306
Deferred Deferred - Pending Action
Session File Exposure in pyLoad Download Manager

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect the Flask session directory (/tmp/pyLoad/flask). An authenticated attacker can set storage_folder to the session directory and download session files of other users via /files/get/, leading to account takeover. This vulnerability is fixed in 0.5.0b3.dev100.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-45306
EUVD
EUVD-2026-32958
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
pyload pyload to 0.5.0b3.dev100 (exc)
pyload pyload to 0.5.0b3 (exc)
pyload pyload 0.5.0b3.dev100
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45306 is a vulnerability in pyLoad, a Python-based download manager, where an incomplete fix for a previous issue allowed an authenticated attacker to exploit the Flask session directory.

Specifically, although the original fix prevented setting the storage_folder inside certain directories (PKGDIR or userdir), it did not protect the Flask session directory located at /tmp/pyLoad/flask.

An attacker with authentication privileges can set the storage_folder to this Flask session directory and then download session files of other users via the /files/get/ endpoint, leading to session theft and potential account takeover.

Impact Analysis

This vulnerability can lead to serious security impacts including unauthorized access to other users' session files.

By stealing session files, an attacker can hijack user sessions and take over accounts, compromising confidentiality and integrity of user data.

The CVSS score of 6.5 indicates a moderate severity with high impact on confidentiality and integrity, but no impact on availability.

Detection Guidance

Detection of this vulnerability involves checking if the pyLoad instance is running a version prior to 0.5.0b3.dev100 and if the storage_folder setting can be manipulated to point to the Flask session directory (/tmp/pyLoad/flask).

You can verify the pyLoad version by running a command like:

  • python -m pyload --version

To detect if the storage_folder is set to the Flask session directory, you can inspect the configuration files or attempt to access session files via the /files/get/ endpoint if you have authenticated access.

Network monitoring can include checking for unusual HTTP requests to /files/get/ that attempt to download session files.

Mitigation Strategies

The immediate mitigation step is to upgrade pyLoad to version 0.5.0b3.dev100 or later, where the vulnerability is fixed by blocking the Flask session directory from being set as storage_folder.

If upgrading is not immediately possible, restrict authenticated users from setting the storage_folder to /tmp/pyLoad/flask or any session directory.

Additionally, monitor and restrict access to the /files/get/ endpoint to prevent unauthorized downloading of session files.

Compliance Impact

This vulnerability allows an authenticated attacker to access and download session files of other users, leading to account takeover. Such unauthorized access to user session data can result in a breach of confidentiality and integrity of personal information.

Because the vulnerability exposes sensitive user session data, it may lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45306. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart