Platform
python
Component
pyload-ng
Fixed in
0.5.1
0.5.1
CVE-2026-33992 describes a Server-Side Request Forgery (SSRF) vulnerability within the download engine of pyload-ng. This flaw allows authenticated attackers to leverage the application to access internal network resources and potentially exfiltrate sensitive data. The vulnerability affects versions of pyload-ng up to and including 0.5.0b3.dev96, with a fix available in version 0.5.0b3.dev97.
The SSRF vulnerability in pyload-ng poses a significant risk, particularly for deployments hosted on cloud platforms like DigitalOcean. An attacker, once authenticated, can craft malicious URLs that instruct pyload-ng to make requests to internal services that are otherwise inaccessible. On DigitalOcean droplets, this can lead to the exposure of highly sensitive infrastructure data, including droplet IDs, network configurations, region information, and critically, authentication keys and SSH keys configured within user-data/cloud-init. This information could be used to compromise the entire droplet and potentially gain access to other resources within the cloud environment. The ability to exfiltrate cloud provider metadata represents a severe data breach scenario.
CVE-2026-33992 was publicly disclosed on 2026-03-27. The vulnerability's impact is amplified by the ease of exploitation once an attacker gains authentication. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes it likely that PoCs will emerge. The EPSS score is likely to be medium or high, given the potential for significant data exfiltration and the relative ease of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33992 is to immediately upgrade pyload-ng to version 0.5.0b3.dev97 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the dynamic nature of URLs, strict input validation on the /api/addPackage endpoint can help prevent malicious URLs from being processed. Monitor pyload-ng logs for unusual outbound requests to internal or unexpected external resources. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked or handled safely.
Update pyLoad to version 0.5.0b3.dev97 or higher. This version contains a fix for the SSRF vulnerability that allows cloud metadata exfiltration. The update will prevent authenticated attackers from accessing internal network services and exfiltrating sensitive data.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33992 is a critical SSRF vulnerability in pyload-ng versions up to 0.5.0b3.dev96, allowing attackers to access internal services and potentially exfiltrate sensitive cloud metadata.
You are affected if you are using pyload-ng versions 0.5.0b3.dev96 or earlier. Immediately upgrade to mitigate the risk.
Upgrade pyload-ng to version 0.5.0b3.dev97 or later. If upgrading is not possible, implement temporary workarounds like input validation.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests it is likely to be targeted. Monitor your systems closely.
Refer to the official pyload-ng project's website or GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.