pyLoad (pyload/pyload), Race Condition (CWE-362) leading to Session Cookie Security Downgrade and Denial of Service, CVE-2026-40594 (Medium)

Listen to this Post

The vulnerability exploits a race condition caused by the `set_session_cookie_secure` function, which is registered as a `before_request` handler. This function, located in src/pyload/webui/app/__init__.py, reads the untrusted `X-Forwarded-Proto` HTTP header from every request, without any validation of its source (a CWE-346: Origin Validation Error). It then mutates the global Flask configuration value `SESSION_COOKIE_SECURE` on each request. Since the application uses a multi-threaded server (Cheroot with request_queue_size=512), a race condition occurs. When an attacker’s request sets SESSION_COOKIE_SECURE=False, a concurrent legitimate user’s request may read this `False` value during the `after_request` phase, leading to a session cookie being issued without the `Secure` flag. Conversely, if the attacker sets it to `True` on a plain HTTP server, the victim’s browser will refuse to send the cookie, causing a denial of service. The entire attack is unauthenticated.
Platform: pyLoad webui
Version: <=0.5.0b3.dev97
Vulnerability: Race Condition
Severity: Medium
date: 2026-04-16

Prediction: 0.5.0b3.dev98 (Apr 2026)

What Undercode Say:

This vulnerability is a textbook case of mishandling shared state in a concurrent environment. The most alarming aspect is the complete lack of trust boundary enforcement—any client can inject the `X-Forwarded-Proto` header and directly influence application-wide security controls. The impact ranges from subtle (session hijacking) to disruptive (complete DoS), both unauthenticated. The fix is clear: the global config mutation must be eliminated.

Analytics

Weakness (CWE): CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) & CWE-346 (Origin Validation Error)

Attack Vector (CVSS:3.1/AV): Network

Attack Complexity (CVSS:3.1/AC): High (due to race condition window)

Privileges Required (CVSS:3.1/PR): None

User Interaction (CVSS:3.1/UI): None

Confidentiality Impact (CVSS:3.1/C): Low (partial exposure)

Integrity Impact (CVSS:3.1/I): None

Availability Impact (CVSS:3.1/A): Low (disrupts sessions)

Exploit:

Prerequisite: Direct network access to the pyLoad backend (bypassing any fronting TLS proxy).

Attack 1: Cookie Security Downgrade

Flood the backend with requests that set SESSION_COOKIE_SECURE=False
for i in $(seq 1 200); do
curl -s -H 'X-Forwarded-Proto: http' http://pyload-backend:8000/ &
done
During the race window, a legitimate user behind a TLS proxy
will receive a session cookie WITHOUT the Secure flag.

Attack 2: Session Denial of Service (DoS)

Flood the server with requests that set SESSION_COOKIE_SECURE=True
for i in $(seq 1 200); do
curl -s -H 'X-Forwarded-Proto: https' http://localhost:8000/ &
done
Legitimate users' browsers will refuse to send their cookies
over plain HTTP, causing them to appear logged out.

Protection from this CVE

  1. Immediate Patching: Upgrade to `pyload-ng` version 0.5.0b3.dev98 or later.

2. Configuration (If Patching is Not Immediately Possible):

Implement strict network controls to prevent untrusted clients from directly accessing the pyLoad backend port. It should only be reachable via a trusted proxy (e.g., reverse proxy in a DMZ).
Configure your reverse proxy to override or strip any incoming `X-Forwarded-Proto` headers from the client before forwarding the request to pyLoad.

Impact

Session Hijacking: An attacker can force the server to issue session cookies without the `Secure` flag over a TLS-protected connection. If a victim later makes an HTTP request, the cookie is transmitted in cleartext, allowing the attacker to steal it.
Denial of Service (DoS): On a default plain HTTP deployment, an attacker can force the server to issue `Secure` cookies. The victim’s browser will then refuse to send this cookie back over the unencrypted HTTP connection, effectively logging them out and breaking their session.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top