CVE-2026-33511 Overview
CVE-2026-33511 is an authorization bypass vulnerability in pyLoad, a free and open-source download manager written in Python. The vulnerability exists in the local_check decorator within pyLoad's ClickNLoad feature, which can be bypassed by remote attackers through HTTP Host header spoofing. This flaw allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code.
Critical Impact
Remote attackers can bypass authentication controls to access localhost-restricted endpoints, potentially leading to arbitrary file writes and JavaScript code execution without any authentication.
Affected Products
- pyload pyload versions 0.4.20 to before 0.5.0b3.dev97
- pyload-ng_project pyload-ng
Discovery Timeline
- 2026-03-24 - CVE-2026-33511 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33511
Vulnerability Analysis
This vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), which occurs when an application uses user-controlled input to determine which resources or functionality a user can access. In pyLoad's case, the local_check decorator is designed to restrict certain sensitive endpoints to localhost connections only, preventing remote users from accessing administrative or dangerous functionality.
However, the implementation fails to properly validate the source of requests. Instead of checking the actual network connection origin, the decorator relies on the HTTP Host header, which is entirely user-controlled. Attackers can craft malicious HTTP requests with a spoofed Host header set to localhost or 127.0.0.1, effectively tricking the application into believing the request originates from the local machine.
The ClickNLoad feature is particularly affected, as it provides functionality for external applications to submit download links to pyLoad. When the local_check bypass is exploited, attackers gain the ability to inject arbitrary download URLs, which can be leveraged to download malicious files to the server's storage directory. Furthermore, the ability to execute JavaScript code within this context could enable more sophisticated attacks including cross-site scripting or manipulation of the pyLoad web interface.
Root Cause
The root cause of this vulnerability lies in the improper implementation of the local_check decorator in pyLoad's ClickNLoad feature. The decorator trusts the HTTP Host header to determine if a request originates from localhost, rather than inspecting the actual network socket connection or validating against the client's IP address. This design flaw allows any remote attacker to simply modify the Host header in their HTTP request to impersonate a local connection, completely bypassing the intended access control mechanism.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending crafted HTTP requests to the pyLoad server with a spoofed Host header. The attack flow involves:
- Identifying a pyLoad instance exposed to the network (versions 0.4.20 to before 0.5.0b3.dev97)
- Crafting an HTTP request targeting ClickNLoad endpoints with the Host header set to localhost or 127.0.0.1
- The local_check decorator incorrectly validates the request as coming from localhost
- The attacker gains access to restricted functionality including download injection, file writes to storage directories, and JavaScript execution
The vulnerability can be exploited remotely against any pyLoad instance accessible over the network. See the GitHub Security Advisory for technical details on the exploitation mechanism.
Detection Methods for CVE-2026-33511
Indicators of Compromise
- Unusual HTTP requests to ClickNLoad endpoints with localhost or 127.0.0.1 in the Host header originating from external IP addresses
- Unexpected files appearing in pyLoad storage directories that were not initiated by authorized users
- Suspicious download queue entries pointing to unknown or malicious URLs
- Web server logs showing requests with mismatched Host headers and source IP addresses
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests where the Host header contains localhost values but originates from external IP addresses
- Monitor pyLoad access logs for requests to sensitive ClickNLoad endpoints from unexpected sources
- Deploy network intrusion detection systems (IDS) with signatures for HTTP Host header spoofing attempts
- Review pyLoad download history and storage directories for unauthorized entries
Monitoring Recommendations
- Enable verbose logging in pyLoad to capture all incoming requests including headers
- Set up alerts for any ClickNLoad API activity from non-local IP addresses
- Implement file integrity monitoring on pyLoad storage directories to detect unauthorized writes
- Configure SIEM rules to correlate Host header anomalies with external connection sources
How to Mitigate CVE-2026-33511
Immediate Actions Required
- Upgrade pyLoad to version 0.5.0b3.dev97 or later immediately
- If immediate upgrade is not possible, disable the ClickNLoad feature until patching can be completed
- Restrict network access to pyLoad instances using firewall rules to allow only trusted IP addresses
- Review pyLoad storage directories for any unauthorized files that may have been injected
Patch Information
The vulnerability has been patched in pyLoad version 0.5.0b3.dev97. Users running versions 0.4.20 through any version before 0.5.0b3.dev97 should upgrade immediately. The patch corrects the local_check decorator to properly validate the source of incoming requests rather than relying on the user-controllable Host header. For detailed patch information and the security advisory, see the pyLoad Security Advisory on GitHub.
Workarounds
- Disable the ClickNLoad feature entirely if it is not required for your use case
- Place pyLoad behind a reverse proxy that validates and normalizes Host headers before forwarding requests
- Implement network-level access controls to restrict access to pyLoad to trusted networks only
- Configure firewall rules to block external access to ClickNLoad endpoints specifically
# Configuration example - Restrict pyLoad access using iptables
# Allow localhost access only to pyLoad (default port 8000)
iptables -A INPUT -p tcp --dport 8000 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
