GHSA-CCXC-X975-4HH9

Vulnerability from github – Published: 2026-05-04 22:07 – Updated: 2026-05-13 14:17
VLAI?
Summary
pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
Details

Summary

The set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option ("general", "ssl_verify") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 — TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches.

This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist.

Details

Writersrc/pyload/core/api/__init__.py, set_config_value() (around lines 215–290). The function is decorated with @permission(Perms.SETTINGS) and only rejects writes when (category, option) appears in ADMIN_ONLY_CORE_OPTIONS:

ADMIN_ONLY_CORE_OPTIONS = {
    ("general", "storage_folder"),
    ("log", "syslog_host"), ("log", "syslog_port"),
    ("proxy", "password"), ("proxy", "username"),
    ("reconnect", "script"),
    ("webui", "host"),
    ("webui", "ssl_certfile"), ("webui", "ssl_keyfile"), ("webui", "ssl_certchain"),
    ("webui", "use_ssl"),
}
...
if (category, option) in ADMIN_ONLY_CORE_OPTIONS and not is_admin:
    self.pyload.log.error(...); return
self.pyload.config.set(category, option, value)

("general", "ssl_verify") is absent. config.set() in src/pyload/core/config/parser.py:329 calls cast() which has no branch for enum-string types — "off" is stored verbatim and persisted to disk via self.save().

Readersrc/pyload/core/network/request_factory.py:109-110:

def get_options(self):
    return {
        "interface": self.iface(),
        "proxies":   self.get_proxies(),
        "ipv6":      self.pyload.config.get("download", "ipv6"),
        "ssl_verify": self.pyload.config.get("general", "ssl_verify"),
        ...
    }

Sinksrc/pyload/core/network/http/http_request.py:193-206:

if "ssl_verify" in options:
    aiachaser_on = b"on (using aia-chaser)"
    if options["ssl_verify"] in [True, b"on", aiachaser_on]:
        ...
        ssl_verify = 1
    else:
        ssl_verify = 0
    self.c.setopt(pycurl.SSL_VERIFYPEER, ssl_verify)
    self.c.setopt(pycurl.SSL_VERIFYHOST, ssl_verify * 2)

Because get_options() is invoked every time a new pycurl handle is built, the new config value takes effect on the very next outbound request — no pyload restart required.

PoC

Authenticated as any user who has Perms.SETTINGS but is not admin (e.g. a user with Role.USER + the SETTINGS permission bit):

# 1) Log in as the SETTINGS (non-admin) user.
curl -c cookies.txt -X POST http://pyload.example:8000/api/login \
    -d 'username=settings_user&password=<password>'

# 2) Disable TLS verification for all outbound downloads.
curl -b cookies.txt -X POST http://pyload.example:8000/api/setConfigValue \
    -d 'category=general&option=ssl_verify&value=off&section=core'
# -> 200 OK. Config persisted.

# 3) Enqueue any HTTPS download. An on-path attacker (shared LAN,
#    compromised upstream router, DNS hijack, or a malicious proxy
#    enabled via the sibling advisory on the proxy.* options) can
#    now present a forged cert for any target — pyload accepts it.

Verification: observe pycurl SSL_VERIFYPEER=0 in a debug build, or confirm that a download from an HTTPS endpoint served with a self-signed / mismatched cert succeeds after step 2 and fails before it.

Impact

  • Who: any authenticated user whose role was granted Perms.SETTINGS. In multi-user pyload deployments that delegate settings administration to non-admins, this is an unintended privilege escalation from "can change UI/download settings" to "can silently disable TLS cert validation for all outbound fetches".
  • What:
    1. Man-in-the-middle on all HTTPS downloads, captcha fetches, update checks, and plugin HTTP calls.
    2. Extends the impact of the already-published SSRF chain (CVE-2026-33992 / CVE-2026-35459). The URL-hostname validation those patches added is only meaningful if the TLS channel authenticates the endpoint; with ssl_verify=off, an on-path attacker can present forged certs for already-validated hosts — so HTTPS cloud-metadata endpoints and internal HTTPS services behind the host allowlist become reachable again.
    3. Silent to the admin. Every adjacent security-critical option (proxy.password, SSL certfile/keyfile/certchain, use_ssl) is already admin-only, so the admin's mental model is that TLS policy cannot be weakened by a non-admin.
  • Not impacted: unauthenticated attackers; users holding only DOWNLOAD / LIST roles.
Severity ?
6.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.0b3.dev99"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0b3.dev100"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-306",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T22:07:24Z",
    "nvd_published_at": "2026-05-11T18:16:34Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `set_config_value()` API method (`@permission(Perms.SETTINGS)`) in `src/pyload/core/api/__init__.py` gates security-sensitive options behind a hand-maintained allowlist `ADMIN_ONLY_CORE_OPTIONS`. The option `(\"general\", \"ssl_verify\")` is **not** on that allowlist. Any authenticated user with the non-admin `SETTINGS` permission can set `general.ssl_verify = off`, and every subsequent outbound pycurl request is made with `SSL_VERIFYPEER=0` and `SSL_VERIFYHOST=0` \u2014 TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches.\n\nThis is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist.\n\n### Details\n\n**Writer** \u2014 `src/pyload/core/api/__init__.py`, `set_config_value()` (around lines 215\u2013290). The function is decorated with `@permission(Perms.SETTINGS)` and only rejects writes when `(category, option)` appears in `ADMIN_ONLY_CORE_OPTIONS`:\n\n```python\nADMIN_ONLY_CORE_OPTIONS = {\n    (\"general\", \"storage_folder\"),\n    (\"log\", \"syslog_host\"), (\"log\", \"syslog_port\"),\n    (\"proxy\", \"password\"), (\"proxy\", \"username\"),\n    (\"reconnect\", \"script\"),\n    (\"webui\", \"host\"),\n    (\"webui\", \"ssl_certfile\"), (\"webui\", \"ssl_keyfile\"), (\"webui\", \"ssl_certchain\"),\n    (\"webui\", \"use_ssl\"),\n}\n...\nif (category, option) in ADMIN_ONLY_CORE_OPTIONS and not is_admin:\n    self.pyload.log.error(...); return\nself.pyload.config.set(category, option, value)\n```\n\n`(\"general\", \"ssl_verify\")` is absent. `config.set()` in `src/pyload/core/config/parser.py:329` calls `cast()` which has no branch for enum-string types \u2014 `\"off\"` is stored verbatim and persisted to disk via `self.save()`.\n\n**Reader** \u2014 `src/pyload/core/network/request_factory.py:109-110`:\n\n```python\ndef get_options(self):\n    return {\n        \"interface\": self.iface(),\n        \"proxies\":   self.get_proxies(),\n        \"ipv6\":      self.pyload.config.get(\"download\", \"ipv6\"),\n        \"ssl_verify\": self.pyload.config.get(\"general\", \"ssl_verify\"),\n        ...\n    }\n```\n\n**Sink** \u2014 `src/pyload/core/network/http/http_request.py:193-206`:\n\n```python\nif \"ssl_verify\" in options:\n    aiachaser_on = b\"on (using aia-chaser)\"\n    if options[\"ssl_verify\"] in [True, b\"on\", aiachaser_on]:\n        ...\n        ssl_verify = 1\n    else:\n        ssl_verify = 0\n    self.c.setopt(pycurl.SSL_VERIFYPEER, ssl_verify)\n    self.c.setopt(pycurl.SSL_VERIFYHOST, ssl_verify * 2)\n```\n\nBecause `get_options()` is invoked every time a new pycurl handle is built, the new config value takes effect on the very next outbound request \u2014 no pyload restart required.\n\n### PoC\n\nAuthenticated as any user who has `Perms.SETTINGS` but is **not** admin (e.g. a user with `Role.USER` + the SETTINGS permission bit):\n\n```bash\n# 1) Log in as the SETTINGS (non-admin) user.\ncurl -c cookies.txt -X POST http://pyload.example:8000/api/login \\\n    -d \u0027username=settings_user\u0026password=\u003cpassword\u003e\u0027\n\n# 2) Disable TLS verification for all outbound downloads.\ncurl -b cookies.txt -X POST http://pyload.example:8000/api/setConfigValue \\\n    -d \u0027category=general\u0026option=ssl_verify\u0026value=off\u0026section=core\u0027\n# -\u003e 200 OK. Config persisted.\n\n# 3) Enqueue any HTTPS download. An on-path attacker (shared LAN,\n#    compromised upstream router, DNS hijack, or a malicious proxy\n#    enabled via the sibling advisory on the proxy.* options) can\n#    now present a forged cert for any target \u2014 pyload accepts it.\n```\n\nVerification: observe pycurl `SSL_VERIFYPEER=0` in a debug build, or confirm that a download from an HTTPS endpoint served with a self-signed / mismatched cert succeeds after step 2 and fails before it.\n\n### Impact\n\n- **Who**: any authenticated user whose role was granted `Perms.SETTINGS`. In multi-user pyload deployments that delegate settings administration to non-admins, this is an unintended privilege escalation from \"can change UI/download settings\" to \"can silently disable TLS cert validation for all outbound fetches\".\n- **What**:\n    1. Man-in-the-middle on all HTTPS downloads, captcha fetches, update checks, and plugin HTTP calls.\n    2. Extends the impact of the already-published SSRF chain (CVE-2026-33992 / CVE-2026-35459). The URL-hostname validation those patches added is only meaningful if the TLS channel authenticates the endpoint; with `ssl_verify=off`, an on-path attacker can present forged certs for already-validated hosts \u2014 so HTTPS cloud-metadata endpoints and internal HTTPS services behind the host allowlist become reachable again.\n    3. Silent to the admin. Every adjacent security-critical option (`proxy.password`, SSL certfile/keyfile/certchain, `use_ssl`) is already admin-only, so the admin\u0027s mental model is that TLS policy cannot be weakened by a non-admin.\n- **Not impacted**: unauthenticated attackers; users holding only `DOWNLOAD` / `LIST` roles.",
  "id": "GHSA-ccxc-x975-4hh9",
  "modified": "2026-05-13T14:17:42Z",
  "published": "2026-05-04T22:07:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42312"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-4744-96p5-mp2j"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-ppvx-rwh9-7rj7"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-r7mc-x6x7-cqxx"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-w48f-wwwf-f5fr"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.