MEDIUM 6.5

CVE-2026-45306: pyLoad Session File Disclosure and Account Takeover

pyLoad, a Python-based download manager, contains a directory traversal weakness that allows authenticated users to access other users' session files. An attacker with login credentials can manipulate the storage folder setting to point to a sensitive Flask session directory and then download session tokens belonging to other accounts. This could enable account takeover without requiring additional exploitation. The vulnerability exists because a prior security fix addressed some directory restrictions but overlooked the Flask session storage location.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Weaknesses (CWE)
CWE-706
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect the Flask session directory (/tmp/pyLoad/flask). An authenticated attacker can set storage_folder to the session directory and download session files of other users via /files/get/, leading to account takeover. This vulnerability is fixed in 0.5.0b3.dev100.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45306 is an authenticated directory traversal vulnerability in pyLoad versions before 0.5.0b3.dev100. The vulnerability stems from incomplete path validation in the storage_folder configuration parameter. While a previous fix (CVE-2026-33509) restricted setting storage_folder to paths inside PKGDIR or the user directory, it failed to protect the Flask session directory at /tmp/pyLoad/flask. An authenticated attacker can bypass this restriction by setting storage_folder to the session directory, then leveraging the /files/get/ endpoint to enumerate and download session files from other users. Flask session files typically contain serialized session tokens and user identity information. Exploitation requires valid authentication credentials but no elevated privileges.

Business impact

Account takeover represents a critical business risk, particularly in shared or multi-user pyLoad deployments. A compromised account grants attackers the same permissions as the legitimate user, potentially enabling unauthorized downloads, configuration changes, or lateral movement within the deployment. Organizations relying on pyLoad for managed downloads should treat this as a high-priority remediation target, especially in environments where multiple users share instances or where pyLoad interacts with sensitive content repositories.

Affected systems

All pyLoad installations prior to version 0.5.0b3.dev100 are affected. The vulnerability requires the attacker to possess valid authentication credentials, limiting exposure to deployments where user accounts exist. Open or loosely-controlled instances are at greater risk. The vulnerability does not affect pyLoad 0.5.0b3.dev100 and later.

Exploitability

Exploitation requires valid authentication credentials, which raises the attack complexity and limits the threat actor population. However, the actual attack steps are straightforward once authenticated: modify the storage_folder configuration and fetch files via an existing HTTP endpoint. No special tools, client-side bypasses, or out-of-band channels are necessary. Social engineering or credential compromise could lower the barrier for initial access. The CVSS vector reflects this balance: network-accessible, low complexity, but requiring high privilege (authenticated user).

Remediation

Update pyLoad to version 0.5.0b3.dev100 or later. This version includes proper validation that prevents storage_folder from being set to the Flask session directory. Organizations unable to upgrade immediately should consider restricting access to the /files/get/ endpoint via firewall rules or reverse proxy authentication, limiting who can download files. Additionally, review user account creation policies to minimize unnecessary authentication credentials in the environment.

Patch guidance

Verify that your pyLoad installation is running 0.5.0b3.dev100 or a later release. Check the version via the application's settings or log files. If running an earlier beta or development version, prioritize an upgrade to the patched release. Test the patch in a non-production environment first to confirm compatibility with your deployment. After patching, restart the pyLoad service to ensure the new code is in effect.

Detection guidance

Monitor pyLoad configuration changes, particularly modifications to the storage_folder parameter. Examine logs for attempts to set storage_folder to paths containing 'flask' or '/tmp/pyLoad'. Review access logs for the /files/get/ endpoint, especially requests that succeed in retrieving files with names typical of Flask session storage (e.g., files with random hexadecimal names or .session extensions). Correlate these indicators with user accounts that do not match the requesting user's own session. If pyLoad supports audit logging, enable and regularly review configuration change records.

Why prioritize this

Although the CVSS score of 6.5 places this in the 'Medium' category, the practical impact—account takeover—justifies higher priority. The exploit requires no zero-day discovery, no unusual system configuration, and no out-of-band effort; an authenticated user can exploit it in seconds. In shared or managed download environments, the blast radius is amplified. The incomplete nature of the prior CVE-2026-33509 fix suggests the codebase may have other path validation gaps. Patch this vulnerability within your standard patch cycle for medium-severity issues, but do not deprioritize it below critical compliance requirements.

Risk score, explained

The CVSS 3.1 score of 6.5 (Medium) reflects the requirement for prior authentication (PR:H) but acknowledges high confidentiality and integrity impact (C:H/I:H). No availability impact (A:N) is scored because the attack does not disrupt service. The network-accessible vector (AV:N) and low attack complexity (AC:L) recognize that exploitation is trivial once a credential is in hand. The score appropriately captures the 'authenticated insider threat' nature of the vulnerability; however, practitioners should weigh this against their specific deployment model. Shared or public-access instances merit treating this as a higher-priority risk.

Frequently asked questions

What is the Flask session directory and why does it matter?

Flask, the web framework used by pyLoad's web interface, stores session information in /tmp/pyLoad/flask. This directory contains serialized session objects with tokens, user identifiers, and other authentication state. If an attacker can download these files, they can deserialize them to extract another user's active session token and impersonate that user without knowing their password.

Can an unauthenticated attacker exploit this vulnerability?

No. The attacker must first obtain valid login credentials for a pyLoad account. Once authenticated, the vulnerability becomes exploitable. The high-privilege requirement (PR:H in the CVSS vector) reflects this mandatory authentication step.

Does the patch for CVE-2026-33509 protect against this issue?

No. The prior fix restricted storage_folder to prevent placement inside PKGDIR or the user directory, but it did not account for the Flask session directory as a restricted location. This CVE-2026-45306 highlights that fix as incomplete. Version 0.5.0b3.dev100 and later address this gap.

How can I tell if my pyLoad instance has been compromised by this vulnerability?

Look for configuration changes to storage_folder that point toward /tmp/pyLoad/flask or similar paths, and examine /files/get/ access logs for unusual file downloads that occur outside normal user activity. Check for new or unexpected user accounts created around the time of suspicious activity. If you suspect a compromise, rotate credentials for all pyLoad users immediately and review any downloads or configuration changes made through compromised accounts.

This analysis is provided for informational purposes and reflects the state of the vulnerability as of the publication date. Security research and threat intelligence evolve; refer to the official pyLoad project repository and security advisories for the most current information. CVSS scoring is standardized but may not capture all contextual risk factors relevant to your organization. Always verify patch availability and compatibility in your environment before applying updates. No exploit code or weaponized proof-of-concept is provided in this document. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).