{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35586", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T20:09:02.828Z", "datePublished": "2026-04-07T16:09:11.856Z", "dateUpdated": "2026-04-07T18:16:14.387Z"}, "containers": {"cna": {"title": "Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-ppvx-rwh9-7rj7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ppvx-rwh9-7rj7"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": "< 0.5.0b3.dev97", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:09:11.856Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all. This vulnerability is fixed in 0.5.0b3.dev97."}], "source": {"advisory": "GHSA-ppvx-rwh9-7rj7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T18:16:06.829627Z", "id": "CVE-2026-35586", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T18:16:14.387Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35586", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T20:09:02.828Z", "datePublished": "2026-04-07T16:09:11.856Z", "dateUpdated": "2026-04-07T18:16:14.387Z"}, "containers": {"cna": {"title": "Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-ppvx-rwh9-7rj7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ppvx-rwh9-7rj7"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": "< 0.5.0b3.dev97", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:09:11.856Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all. This vulnerability is fixed in 0.5.0b3.dev97."}], "source": {"advisory": "GHSA-ppvx-rwh9-7rj7", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35586", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T18:16:06.829627Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T18:16:10.547Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", "matchCriteriaId": "0F5DE8DC-98B9-4A24-89F9-C2FEFD254815", "versionEndIncluding": "0.5.0b3.dev96", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all. This vulnerability is fixed in 0.5.0b3.dev97."}], "id": "CVE-2026-35586", "lastModified": "2026-04-16T18:54:32.687", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T17:16:34.140", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ppvx-rwh9-7rj7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.5.0b3.dev97)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pyload", "source": "cna", "vendor": "pyload"}, "product": "pyload", "vendor": "pyload"}], "analysis": {"en": {"generated_at": "2026-04-07T22:09:08.094793+00:00", "value": {"mitigation_remediation": ["Apply the latest pyLoad release (0.5.0b3.dev97 or later) to fix the option name mismatch.", "If an immediate upgrade is not possible, restrict the SETTINGS permission to trusted administrators and review user roles to ensure only privileged users can modify configuration.", "Verify that ssl_certfile and ssl_keyfile options point to legitimate, uncompromised certificate files and that the ssl_certchain option is correctly configured.", "Restrict file system permissions on pyLoad\u2019s configuration files so that only the application owner can modify them.", "Consider disabling or monitoring the SETTINGS permission in the user management interface to detect unauthorized changes."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via Configuration Modification"}, "threat_synthesis": {"affected_systems": "The issue affects all installations of pyLoad version 0.5.0b3.dev96 and earlier. Users running the 0.5.0b3.dev97 release or later are not impacted, as the patch corrects the option names in the authorization set. The vulnerability is limited to the pyLoad download manager and its upstream maintenance branch under the pyload:pyload CNA.", "description_and_impact": "The vulnerability in pyLoad\u2019s configuration handling stems from a mismatch in the option names used in the admin\u2011only authorization check. The check references ssl_cert and ssl_key, while the correct configuration options are ssl_certfile and ssl_keyfile; consequently, the check always fails. As a result, any user granted SETTINGS permission can alter the SSL certificate and key file paths in the software\u2019s configuration, effectively bypassing the intended admin restriction. This can allow an attacker to supply a forged certificate or redirect secure traffic to a malicious endpoint, exposing sensitive data or enabling man\u2011in\u2011the\u2011middle attacks.", "risk_and_exploitability": "The CVSS base score of 6.8 reflects a moderate severity due to the compromise of configuration integrity. Because the bypass is tied to the SETTINGS permission, attackers must first obtain at least that level of access to the pyLoad instance; no external network exploit is required beyond the normal privileged actions. EPSS data is unavailable, and the vulnerability is not presently listed in CISA\u2019s KEV catalog. In typical deployment scenarios, an intruder with local or trusted remote access to the web interface or backend services is capable of changing the certificate paths and could be leveraged to facilitate man\u2011in\u2011the\u2011middle attacks or downgrade SSL, posing a significant confidentiality risk."}}}}, "created": "2026-04-08T19:36:57.787366+00:00", "updated": "2026-04-08T19:48:02.164109+00:00", "vendors": ["pyload", "pyload$PRODUCT$pyload"]}