Compliance Impact

The vulnerability allows an authenticated attacker to bypass private IP checks via HTTP redirects, potentially exposing sensitive internal data such as IAM credentials or instance metadata.

Exposure of such sensitive information could lead to unauthorized access or data breaches, which may impact compliance with standards and regulations like GDPR or HIPAA that require protection of sensitive data.

However, the provided information does not explicitly mention compliance impacts or specific regulatory consequences.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-46561 is a Server-Side Request Forgery (SSRF) vulnerability in pyload-ng versions up to 0.5.0b3.dev87. It occurs because the parse_urls API method validates the initial URL hostname but does not properly enforce private IP address checks when handling HTTP redirects.

An authenticated attacker with ADD permission can supply a URL that redirects to an internal or private IP address, bypassing the is_global_host() check. This happens because HTTPRequest, used by the parse_urls API, allows redirects to private IPs by default (allow_private_ip=True).

This vulnerability allows attackers to make the server send requests to internal network resources or cloud metadata endpoints, potentially exposing sensitive information.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to bypass network restrictions and access internal or private IP addresses through the vulnerable server.

As a result, sensitive data such as IAM credentials or instance metadata stored on internal services could be exposed to the attacker.

The attack requires low privileges (authenticated user with ADD permission) and has low attack complexity, making it a moderate risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an SSRF attack where an authenticated attacker supplies a URL that redirects to an internal or private IP address, bypassing private IP checks.

To detect exploitation attempts on your system or network, monitor logs for unusual HTTP requests made by the parse_urls API or HTTPRequest component, especially those involving 302 redirects to private IP ranges.

You can use network monitoring tools or commands to identify outbound HTTP requests that redirect to private IP addresses.

• Use tcpdump or Wireshark to capture HTTP traffic and filter for 302 redirects pointing to private IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
• Check application logs for parse_urls API calls with URLs that result in redirects to internal IPs.
• Example tcpdump command to capture HTTP redirects to private IPs: tcpdump -i any -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Location: http://10.'
• Use curl or similar tools to test the parse_urls API with URLs that redirect to private IPs to verify if the vulnerability exists.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in pyload-ng version 0.5.0b3.dev100 by enforcing private IP checks on HTTP redirects.

Immediate mitigation steps include:

• Upgrade pyload-ng to version 0.5.0b3.dev100 or later where the fix is applied.
• If upgrading is not immediately possible, modify the code to set allow_private_ip=False in RequestFactory.get_url() or change the default in HTTPRequest.__init__ to disallow private IP redirects.
• Restrict authenticated users' permissions to limit who can supply URLs to the parse_urls API.
• Monitor and block HTTP requests that redirect to private IP addresses at the network perimeter.

Useful 0 Not Useful 0