pyLoad Vulnerability Lets Low-Privilege Users Hijack Downloads
CVE Notify is flagging a critical security flaw in pyLoad, the popular open-source Python download manager. The vulnerability, tracked as CVE-2026-40071, centers on the WebUI’s JSON endpoints for managing package and link order, as well as aborting links. According to CVE Notify, these endpoints didn’t properly enforce the same robust permissions as the core API methods they interact with.
This oversight means authenticated users with minimal privileges could exploit these weaker controls. They could potentially execute MODIFY operations that should, by design, be restricted by pyLoad’s internal permission model. Essentially, a low-level user could gain unauthorized control over download management functions. Fortunately, CVE Notify reports that this issue has been patched in pyLoad version 0.5.0b3.dev97.
What This Means For You
- Regularly patch or update applications like pyLoad, especially those handling sensitive data transfers, as soon as vendor-released security fixes become available to prevent exploitation of known vulnerabilities.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40071 | Auth Bypass | pyLoad versions prior to 0.5.0b3.dev97. Vulnerable endpoints: /json/package_order, /json/link_order, /json/abort_link. Allows authenticated low-privileged users to execute unauthorized MODIFY operations. |
| CVE-2026-40071 | Privilege Escalation | pyLoad versions prior to 0.5.0b3.dev97. Vulnerable endpoints: /json/package_order, /json/link_order, /json/abort_link. Allows authenticated low-privileged users to execute unauthorized MODIFY operations. |