PatchSiren cyber security CVE debrief
CVE-2026-45306 pyload CVE debrief
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect the Flask session directory (/tmp/pyLoad/flask). An authenticated attacker can set storage_folder to the session directory and download session files of other users via /files/get/, leading to account takeover. This vulnerability is fixed in 0.5.0b3.dev100.
- Vendor
- pyload
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running pyLoad download manager instances, particularly those with multi-user deployments or exposed administrative interfaces. Security teams should prioritize patching due to the account takeover impact, though exploitation requires authenticated high-privilege access which may limit exposure in properly segmented environments.
Technical summary
This vulnerability represents a partial fix bypass in pyLoad's storage_folder validation logic. The application prevents setting storage_folder to the package directory (PKGDIR) or user directory (userdir), but omits protection for the Flask session directory at /tmp/pyLoad/flask. An attacker with authenticated high-privilege access can manipulate the storage_folder configuration to point to this session directory, then use the /files/get/ endpoint to download session files belonging to other users. Successful exploitation enables session hijacking and complete account takeover of other user accounts. The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N indicates network attack vector, low complexity, high privileges required, no user interaction, unchanged scope, with high impact to confidentiality and integrity but no availability impact.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade pyLoad to version 0.5.0b3.dev100 or later to remediate this vulnerability
- Review and restrict administrative access to pyLoad instances to reduce attack surface
- Monitor for unauthorized access attempts to the /files/get/ endpoint
- Audit file system permissions on /tmp/pyLoad/flask to ensure proper isolation
- Verify that storage_folder configuration cannot be manipulated to point to sensitive system directories
Evidence notes
The CVE description indicates this is a bypass of a prior fix for CVE-2026-33509. The original fix restricted storage_folder from being set to PKGDIR or userdir, but failed to include the Flask session directory (/tmp/pyLoad/flask) in these restrictions. An authenticated attacker with high privileges can exploit this path validation gap to access session files belonging to other users.
Official resources
-
CVE-2026-45306 CVE record
CVE.org
-
CVE-2026-45306 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28