Unintended Proxy or Intermediary ('Confused Deputy')
CVE-2026-42313
Summary
The `set_config_value()` API method (`@permission(Perms.SETTINGS)`) in `src/pyload/core/api/__init__.py` gates security-sensitive options behind a hand-maintained allowlist `ADMIN_ONLY_CORE_OPTIONS`. The allowlist contains `("proxy", "username")` and `("proxy", "password")` -- which protect the proxy credentials -- but it does **not** include `("proxy", "enabled")`, `("proxy", "host")`, `("proxy", "port")`, or `("proxy", "type")`. Any authenticated user with the non-admin `SETTINGS` permission can enable proxying and point pyload at any host they control. From that point, every outbound download, captcha fetch, update check, and plugin HTTP call is transparently routed through the attacker. This affects versions prior to 0.5.0b3.dev100.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- LOW
- HIGH
- LOW
CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
References
Advisory Timeline
- Published
