Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1213

NIXPKGS-2026-1213
published on
Permalink CVE-2026-40594
4.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 4 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 16 hours ago
  • @LeSuisse ignored
    5 packages
    • python312Packages.pyloadapi
    • python313Packages.pyloadapi
    • python314Packages.pyloadapi
    • home-assistant-component-tests.pyload
    • tests.home-assistant-components.pyload
    4 hours ago
  • @LeSuisse accepted 4 hours ago
  • @LeSuisse published on GitHub 4 hours ago
pyLoad: Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSION_COOKIE_SECURE on every request. Because pyLoad uses the multi-threaded Cheroot WSGI server (request_queue_size=512), this creates a race condition where an attacker's request can influence the Secure flag on other users' session cookies — either downgrading cookie security behind a TLS proxy or causing a session denial-of-service on plain HTTP deployments. This vulnerability is fixed in 0.5.0b3.dev98.

Affected products

pyload
  • ==< 0.5.0b3.dev98

Matching in nixpkgs

Ignored packages (5)

Package maintainers