CVE-2026-45306
Session File Exposure in pyLoad Download Manager
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pyload | pyload | to 0.5.0b3.dev100 (exc) |
| pyload | pyload | to 0.5.0b3 (exc) |
| pyload | pyload | 0.5.0b3.dev100 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-706 | The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45306 is a vulnerability in pyLoad, a Python-based download manager, where an incomplete fix for a previous issue allowed an authenticated attacker to exploit the Flask session directory.
Specifically, although the original fix prevented setting the storage_folder inside certain directories (PKGDIR or userdir), it did not protect the Flask session directory located at /tmp/pyLoad/flask.
An attacker with authentication privileges can set the storage_folder to this Flask session directory and then download session files of other users via the /files/get/ endpoint, leading to session theft and potential account takeover.
How can this vulnerability impact me? :
This vulnerability can lead to serious security impacts including unauthorized access to other users' session files.
By stealing session files, an attacker can hijack user sessions and take over accounts, compromising confidentiality and integrity of user data.
The CVSS score of 6.5 indicates a moderate severity with high impact on confidentiality and integrity, but no impact on availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the pyLoad instance is running a version prior to 0.5.0b3.dev100 and if the storage_folder setting can be manipulated to point to the Flask session directory (/tmp/pyLoad/flask).
You can verify the pyLoad version by running a command like:
- python -m pyload --version
To detect if the storage_folder is set to the Flask session directory, you can inspect the configuration files or attempt to access session files via the /files/get/ endpoint if you have authenticated access.
Network monitoring can include checking for unusual HTTP requests to /files/get/ that attempt to download session files.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to access and download session files of other users, leading to account takeover. Such unauthorized access to user session data can result in a breach of confidentiality and integrity of personal information.
Because the vulnerability exposes sensitive user session data, it may lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade pyLoad to version 0.5.0b3.dev100 or later, where the vulnerability is fixed by blocking the Flask session directory from being set as storage_folder.
If upgrading is not immediately possible, restrict authenticated users from setting the storage_folder to /tmp/pyLoad/flask or any session directory.
Additionally, monitor and restrict access to the /files/get/ endpoint to prevent unauthorized downloading of session files.