{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41133", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T12:59:15.738Z", "datePublished": "2026-04-21T23:41:06.258Z", "dateUpdated": "2026-04-21T23:41:06.258Z"}, "containers": {"cna": {"title": "pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-66hx-chf7-3332", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-66hx-chf7-3332"}, {"name": "https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1", "tags": ["x_refsource_MISC"], "url": "https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": "<= 0.5.0b3.dev97", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T23:41:06.258Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions. This is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature. Commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 contains a fix for the issue."}], "source": {"advisory": "GHSA-66hx-chf7-3332", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions. This is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature. Commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 contains a fix for the issue."}], "id": "CVE-2026-41133", "lastModified": "2026-04-22T00:16:29.153", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T00:16:29.153", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1"}, {"source": "security-advisories@github.com", "url": "https://github.com/pyload/pyload/security/advisories/GHSA-66hx-chf7-3332"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.5.0b3.dev97]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pyload", "source": "cna", "vendor": "pyload"}, "product": "pyload", "vendor": "pyload"}], "analysis": {"en": {"generated_at": "2026-04-22T04:25:00.477003+00:00", "value": {"mitigation_remediation": ["Apply the patch corresponding to commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 to resolve stale session authorization.", "Upgrade to pyLoad version 0.5.0b4 or later, which contains the fix for this issue.", "Ensure all user sessions are invalidated or users are forced to log out immediately after any change to roles or permissions to prevent use of stale privileges."], "summary": {"action": "Update immediately", "impact": "Privilege Escalation via Stale Session Authorization"}, "threat_synthesis": {"affected_systems": "The pyLoad download manager, vendor pyload:pyload, is affected by this bug in all releases up to and including 0.5.0b3.dev97. Users relying on earlier roles and permissions can retain those privileges after an update to their account in the database.", "description_and_impact": "pyLoad versions through 0.5.0b3.dev97 cache the user\u2019s role and permissions in the session at login. When an administrator later changes a user\u2019s role or permissions in the database, the cached values remain in the session and continue to be used for authorization, allowing the user to maintain revoked privileges until the session ends or the user logs out. This flaw is a core authorization and session consistency issue, classified as CWE-613.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. An attacker who has an active session prior to a role or permission change can exploit the stale session data to perform privileged actions without re\u2011authenticating. Although no public exploit is currently documented, the high severity and the fact that the flaw persists until logout make it a significant risk for environments where role changes occur frequently."}}}}, "created": "2026-04-22T01:30:05.069912+00:00", "updated": "2026-04-22T04:30:05.304030+00:00", "vendors": ["pyload", "pyload$PRODUCT$pyload"]}