Session Consistency Flaw in pyLoad Download Manager
CVE-2026-41133

8.8HIGH

Key Information:

Vendor: Pyload
Status: Pyload
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-41133?

pyLoad, an open-source download manager written in Python, has a session management issue that allows users to retain old privileges post role or permission changes. Specifically, versions up to 0.5.0b3.dev97 cache user roles and permissions in the session, which continue to be used for request authorizations despite changes made by an administrator. This improper handling can leave users with revoked access persisting until they log out or their session expires, raising significant security concerns without having the optional security feature toggle providing any resolution. A fix is available in commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1. For further details, check the advisory and commit.

Affected Version(s)

pyload <= 0.5.0b3.dev97

References

https://github.com/pyload/pyload/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/pyload/pyload/commit/e95804fb0d06cbb07...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 17, 2026

CVE-2026-41133 Data

JSON

Pyload

What is CVE-2026-41133?

Affected Version(s)

References

CVSS V3.1

Timeline