Platform
python
Component
pyload-ng
Fixed in
0.5.1
0.5.1
CVE-2026-40071 affects pyload-ng versions up to 0.5.0b3. This vulnerability arises from inconsistencies between the WebUI JSON endpoints and the core API permissions within pyLoad. Specifically, certain WebUI endpoints enforce weaker permission checks, enabling authenticated, low-privileged users to execute operations that should be restricted by pyLoad’s permission model. This can lead to unauthorized modifications of the system’s configuration and functionality.
An attacker exploiting CVE-2026-40071 can leverage the permission bypass to perform actions they are not authorized to do. For instance, a user with ADD permissions can reorder packages and files using the /json/packageorder and /json/linkorder endpoints, potentially disrupting download queues or manipulating file organization. Similarly, a DELETE user can abort downloads via /json/abort_link, impacting legitimate users and potentially causing data loss. The blast radius is limited to the pyload-ng instance itself, but the impact on affected users can be significant depending on the criticality of the manipulated data or processes. While not directly leading to remote code execution, this vulnerability can be a stepping stone for further exploitation if combined with other weaknesses.
CVE-2026-40071 was published on 2026-04-07. Its severity is rated as MEDIUM (CVSS 5.4). There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (POC) code has been publicly released. The vulnerability is not listed on KEV or EPSS, suggesting a low probability of near-term exploitation. Refer to the NVD entry for further details and updates.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40071 is to upgrade to pyload-ng version 0.5.0b3.dev97 or later, which addresses the permission inconsistencies. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the /json/packageorder, /json/linkorder, and /json/abort_link endpoints to only users with the necessary Perms.MODIFY permissions. Web Application Firewall (WAF) rules can be configured to block requests to these endpoints from users lacking sufficient privileges. Monitor pyload-ng logs for suspicious activity, particularly attempts to reorder packages or abort downloads by unauthorized users. After upgrading, confirm the fix by attempting to reorder packages or abort downloads with a low-privileged user account; these actions should be denied.
Actualice pyLoad a la versión 0.5.0b3.dev97 o posterior para mitigar esta vulnerabilidad. La actualización corrige la falta de permisos en los endpoints JSON, evitando que usuarios con privilegios limitados ejecuten acciones de modificación no autorizadas.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40071 is a permission bypass vulnerability in pyload-ng, allowing low-privileged users to perform unauthorized modifications like reordering packages or aborting downloads.
You are affected if you are using pyload-ng version 0.5.0b3 or earlier. Check your version and upgrade if necessary.
Upgrade to pyload-ng version 0.5.0b3.dev97 or later to resolve the permission bypass vulnerability. Temporary workarounds include restricting access to specific endpoints.
Currently, there is no evidence of active exploitation campaigns targeting CVE-2026-40071, and no public POCs are available.
Refer to the National Vulnerability Database (NVD) entry for CVE-2026-40071 for detailed information and updates: [https://nvd.nist.gov/vuln/detail/CVE-2026-40071](https://nvd.nist.gov/vuln/detail/CVE-2026-40071)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.