CVE-2026-33509
Published: 24 March 2026
Summary
CVE-2026-33509 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Pyload Pyload. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Restricts access to configuration change activities, preventing non-admin SETTINGS users from modifying security-critical options like reconnect.script via the set_config_value() API.
Enforces least privilege by ensuring the SETTINGS permission does not allow modification of configuration options that control executable paths passed to subprocess.run().
Enforces approved authorizations on the set_config_value() API endpoint to block unauthorized writes to unrestricted configuration options.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes remote exploitation of a public-facing pyLoad web/API endpoint (set_config_value) to modify a script path executed via subprocess, directly enabling initial access via public app exploitation (T1190) and privilege escalation from SETTINGS permission to full process-level RCE (T1068).
NVD Description
pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option…
more
controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder — all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97.
Deeper analysisAI
CVE-2026-33509 affects pyLoad, a free and open-source download manager written in Python, specifically versions from 0.4.0 up to but not including 0.5.0b3.dev97. The vulnerability resides in the set_config_value() API endpoint, which permits users with the non-admin SETTINGS permission to modify any configuration option without restrictions. Notably, the reconnect.script option, which specifies a file path passed directly to subprocess.run() in the thread manager's reconnect logic, lacks validation beyond a hardcoded check for general.storage_folder. This improper restriction of configuration settings (CWE-269) enables unauthorized writes to security-critical options.
An attacker with SETTINGS permission can exploit this remotely over the network by calling the set_config_value() endpoint to alter the reconnect.script to point to any executable file on the system. Upon triggering the reconnect logic, this leads to remote code execution with the privileges of the pyLoad process. The CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects network accessibility, low privileges required, high attack complexity, and high impact on confidentiality, integrity, and availability.
The issue has been addressed in pyLoad version 0.5.0b3.dev97. For full details on the patch and mitigation recommendations, refer to the security advisory at https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx.
Details
- CWE(s)