GHSA-rfgh-63mg-8pwm: Improper Authorization in pyLoad-ng WebUI Endpoints
Vulnerability ID: GHSA-RFGH-63MG-8PWM
CVSS Score: 5.4
Published: 2026-04-08
An improper authorization vulnerability in the pyload-ng WebUI JSON blueprint allows authenticated users with lower-tier permissions (such as ADD or DELETE) to execute operations that strictly require MODIFY permissions. This access control mismatch enables unauthorized users to reorder download queues and abort active downloads.
TL;DR
Authenticated low-privileged pyload-ng users can bypass authorization controls to reorder downloads and abort transfers due to a mismatch between WebUI route decorators and core API permission requirements.
⚠️ Exploit Status: POC
Technical Details
- Vulnerability Class: CWE-285: Improper Authorization
- CVSS v3.1 Score: 5.4 (Moderate)
- Attack Vector: Network
- Privileges Required: Low (ADD/DELETE roles)
- Exploit Status: Proof of Concept (PoC)
- Impact Matrix: Confidentiality: None, Integrity: Low, Availability: Low
Affected Systems
- pyload-ng WebUI
- pyLoad JSON API Layer
-
pyload-ng: <= 0.5.0b3 (Fixed in:
0.5.0b3.dev97)
Mitigation Strategies
- Upgrade pyload-ng to version > 0.5.0b3
- Audit user roles and revoke unnecessary ADD or DELETE permissions
- Monitor application logs for unauthorized queue modification requests
Remediation Steps:
- Identify running pyload-ng instances via software composition analysis or network scanning.
- Download the latest stable release or development build (0.5.0b3.dev97 or newer) from PyPI.
- Restart the pyLoad service to apply the updated route decorators.
- Review user configuration files and ensure the Principle of Least Privilege is enforced across all accounts.
References
Read the full report for GHSA-RFGH-63MG-8PWM on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)