https://feed.craftedsignal.io/tags/pyload/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 22 Apr 2026 00:16:29 +0000https://feed.craftedsignal.io/briefs/2024-01-02-pyload-privesc/Wed, 22 Apr 2026 00:16:29 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-pyload-privesc/pyLoad versions up to 0.5.0b3.dev97 cache user roles and permissions in the session, leading to privilege escalation even after an admin revokes privileges.pyLoad, a free and open-source download manager written in Python, is vulnerable to a privilege escalation issue. Specifically, versions up to and including 0.5.0b3.dev97 cache user role and permission data within the session upon login. This cached data is then used to authorize subsequent requests, even if an administrator modifies the user’s roles or permissions directly in the database. Consequently, a user who is already logged in retains their original, possibly revoked, privileges until they log out or their session expires. This vulnerability, identified as CVE-2026-41133, stems from a core authorization/session-consistency flaw within pyLoad and allows for potentially unauthorized actions to be performed. The fix for this vulnerability is included in commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1.

Attack Chain

1. An attacker gains initial access to a pyLoad user account, either through credential compromise or other means.
2. The attacker logs into pyLoad, establishing a session. The user’s roles and permissions are cached within this session.
3. A pyLoad administrator revokes specific privileges or changes the role associated with the attacker’s account in the pyLoad database.
4. The attacker, still logged in with the existing session, attempts to perform an action that should now be unauthorized given the administrator’s changes.
5. pyLoad authorizes the action based on the cached roles and permissions stored in the session, effectively bypassing the updated authorization settings.
6. The attacker successfully completes the privileged action. This could involve accessing sensitive data, modifying system settings, or initiating unauthorized downloads.
7. The attacker continues to exploit the stale session data to perform further unauthorized actions, maintaining escalated privileges until session expiry or logout.

Impact

Successful exploitation of CVE-2026-41133 can lead to significant privilege escalation within pyLoad. An attacker with a compromised account can retain administrative-level access even after their permissions have been revoked. The scope of the impact depends on the specific privileges granted to the compromised user and the actions they are able to perform within pyLoad. This could potentially lead to unauthorized access to downloaded files, modification of download settings, or disruption of the download manager’s functionality.

Recommendation

• Apply the patch provided in commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 to address the vulnerability.
• Monitor pyLoad logs for any suspicious activity following user permission changes, particularly attempts to access restricted functions, to detect potential exploitation attempts related to CVE-2026-41133.
• Implement stricter session management policies, such as shorter session timeouts, to minimize the window of opportunity for attackers to exploit this vulnerability.
• Deploy the Sigma rule DetectPyLoadPrivilegeEscalation to identify potential exploit attempts.

]]>highadvisorypyLoadprivilege-escalationCVE-2026-41133https://feed.craftedsignal.io/briefs/2026-04-pyload-rce/Sat, 04 Apr 2026 06:43:37 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-pyload-rce/pyLoad is vulnerable to arbitrary code execution via an unprotected `storage_folder` configuration option, allowing an attacker with `SETTINGS` and `ADD` permissions to write a malicious pickle payload to the Flask session store and execute arbitrary code upon subsequent HTTP requests.pyLoad, a download manager, is susceptible to arbitrary code execution due to an insecure configuration option related to the storage folder. This vulnerability arises from the incomplete fix for CVE-2026-33509. Specifically, the storage_folder option is not included in the ADMIN_ONLY_OPTIONS set, which allows users with SETTINGS and ADD permissions to modify it. By redirecting downloads to the Flask filesystem session store, an attacker can plant a malicious pickle payload as a predictable session file. Subsequently, any HTTP request containing the corresponding crafted session cookie will trigger the deserialization of the payload, resulting in arbitrary code execution. This issue affects pyLoad versions up to and including 0.5.0b3. The observed exploitation involves manipulating the download directory to write malicious files into the Flask session store, ultimately leading to code execution on the host.

Attack Chain

1. An attacker gains a non-admin user account with both SETTINGS and ADD permissions in pyLoad.
2. The attacker uses the /api/set_config_value endpoint to modify the storage_folder option, setting its value to the Flask session store directory: /tmp/pyLoad/flask. This bypasses existing path restrictions.
3. The attacker calculates the target session filename by computing the MD5 hash of the string “session:ATTACKER_SESSION_ID”.
4. The attacker hosts a malicious pickle payload (e.g., 92912f771df217fb6fbfded6705dd47c) on a remote server.
5. The attacker uses the /api/add_package endpoint to add a download package. The download link points to the hosted malicious pickle payload on the attacker’s server: http://attacker.com/92912f771df217fb6fbfded6705dd47c. The dest parameter specifies where to store the downloaded file.
6. pyLoad downloads the malicious pickle payload and saves it to the Flask session store directory, naming it according to the MD5 hash calculated earlier.
7. The attacker crafts an HTTP request to the pyLoad server, including a cookie named pyload_session_{port} with the value ATTACKER_SESSION_ID. The port number is derived from the pyLoad configuration.
8. Upon receiving the request with the crafted cookie, Flask attempts to load the session data from the corresponding file. The cachelib library deserializes the malicious pickle payload using pickle.load(), triggering arbitrary code execution.

Impact

Successful exploitation allows a non-admin user with SETTINGS and ADD permissions to achieve arbitrary code execution as the pyload service user. This grants the attacker the ability to execute arbitrary commands, read environment variables (potentially exposing API keys and credentials), access the filesystem (including download history and user databases), and potentially pivot to other network resources. The vulnerability requires no authentication to trigger the final stage of exploitation, increasing its severity and potential impact.

Recommendation

• Deploy the following Sigma rule to detect attempts to modify the storage_folder configuration option to point to the Flask session directory (/tmp/pyLoad/flask): Suspicious pyLoad Storage Folder Modification.
• Apply the suggested fix by adding storage_folder to the ADMIN_ONLY_OPTIONS set in the pyLoad configuration to prevent non-admin users from modifying it.
• Block the malicious URLs used to deliver the pickle payload, specifically http://attacker.com/92912f771df217fb6fbfded6705dd47c, at your network perimeter.
• Monitor for HTTP requests containing the crafted session cookie (pyload_session_{port}=ATTACKER_SESSION_ID), using a webserver or proxy log source, as it triggers the final stage of the attack.

]]>criticaladvisorypyLoadrcepickledeserializationwebserver