PT-2026-33285 · Pyload · Pyload
Offset
·
Published
2026-04-16
·
Updated
2026-04-21
·
CVE-2026-40594
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
pyLoad (affected versions not specified)
Description
A race condition exists in the
set session cookie secure before request handler within the src/pyload/webui/app/ init .py file. The application reads the X-Forwarded-Proto header from HTTP requests without validating if the request originates from a trusted proxy and uses this value to mutate the global SESSION COOKIE SECURE Flask configuration. Because the software utilizes a multi-threaded Cheroot WSGI server, a concurrent request from an attacker can influence the Secure flag of session cookies for other users.This can lead to two scenarios:
- Cookie Security Downgrade: In deployments behind a TLS-terminating proxy, an attacker can cause session cookies to be issued without the
Secureflag, potentially allowing session hijacking if cookies are transmitted over plain HTTP. - Session Denial of Service: In plain HTTP deployments, an attacker can force the
Secureflag to be set, causing browsers to refuse to send the cookies back to the server, which effectively logs out all concurrent users.
These issues occur because the
X-Forwarded-Proto header is trusted from any client and the application state is mutated globally across threads.Recommendations
As a temporary workaround, consider disabling the
set session cookie secure() function in src/pyload/webui/app/ init .py to prevent dynamic mutation of the global configuration.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
DoS
Origin Validation Error
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pyload