CVE-2026-41133
Published: 22 April 2026
Summary
CVE-2026-41133 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Pyload Pyload. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires enforcement of approved authorizations using current role and permission data from the authoritative source, directly preventing authorization based on stale session caches.
Mandates employment of least privilege with immediate revocation of privileges, mitigating retention of revoked higher-level access in active sessions.
Provides for management of user accounts and privileges, including processes to propagate changes and invalidate sessions upon administrative role/permission updates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The authorization bypass via cached session roles/permissions after DB downgrade directly enables an authenticated low-priv user to retain and abuse high privileges, mapping to exploitation for privilege escalation.
NVD Description
pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes…
more
the user's role/permissions in the database. As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions. This is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature. Commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 contains a fix for the issue.
Deeper analysisAI
CVE-2026-41133 is an authorization vulnerability affecting pyLoad, a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache a user's `role` and `permission` values in the session upon login and continue to authorize subsequent requests using these cached values. This persists even after an administrator modifies the user's role or permissions in the database, allowing the user to retain previously granted privileges until logout or session expiry. The issue, classified under CWE-613 (Insufficient Session Expiration), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-22.
An attacker with low-privilege (PR:L) authenticated access over the network can exploit this if an administrator revokes or downgrades their role or permissions post-login. The attacker retains the ability to perform high-privilege actions, such as those requiring elevated roles, leading to high impacts on confidentiality, integrity, and availability. No user interaction is required, and exploitation is straightforward due to low attack complexity.
The GitHub security advisory (GHSA-66hx-chf7-3332) and associated commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 detail the fix, which resolves the session caching inconsistency. Security practitioners should update to a version incorporating this commit and consider forcing session invalidation or logout for users after permission changes as a workaround.
Details
- CWE(s)