CVE-2026-41133— pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41133
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
Source: NVD (National Vulnerability Database)
Vulnerability Description
pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions. This is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature. Commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 contains a fix for the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
不充分的会话过期机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
pyLoad 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
pyLoad是pyLoad开源的一个用 Python 编写的免费开源下载管理器。 pyLoad 0.5.0b3.dev97及之前版本存在代码问题漏洞,该漏洞源于在登录时缓存role和permission,并在管理员更改用户角色或权限后继续使用这些缓存值授权请求,可能导致权限提升。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-41133
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41133
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: pyload
- CVE-2026-40594
pyLoad: Session Cookie Security Downgrade via Untrusted X-Fo - CVE-2026-40071
pyLoad WebUI JSON permission mismatch lets ADD/DELETE users - CVE-2026-35592
pyLoad has an Incomplete Tar Path Traversal Fix in UnTar._sa - CVE-2026-35586
Authorization Bypass for SSL Certificate/Key Configuration D - CVE-2026-35464
pyLoad has an incomplete fix for CVE-2026-33509: unprotected
Same vendor: pyload
- CVE-2026-40594
pyLoad: Session Cookie Security Downgrade via Untrusted X-Fo - CVE-2026-40071
pyLoad WebUI JSON permission mismatch lets ADD/DELETE users - CVE-2026-35592
pyLoad has an Incomplete Tar Path Traversal Fix in UnTar._sa - CVE-2026-35586
Authorization Bypass for SSL Certificate/Key Configuration D - CVE-2026-35464
pyLoad has an incomplete fix for CVE-2026-33509: unprotected
Same weakness: CWE-613
- CVE-2026-41902
FreeScout's user invitation hash never expires: permanent un - CVE-2026-41519
Weblate's API Token Not Invalidated on Password Change - CVE-2026-41891
CI4MS: Deactivated User Session Bypass (active=0) - CVE-2026-40934
jupyter-server authentication cookies remain valid after pas - CVE-2026-42421
OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shar
V. Comments for CVE-2026-41133
No comments yet