CVE-2026-41133: pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)

April 14, 2026 (updated April 24, 2026)

pyLoad caches role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user’s role/permissions in the database.

As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions.

This is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature.

References

github.com/advisories/GHSA-66hx-chf7-3332
github.com/pyload/pyload
github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1
github.com/pyload/pyload/security/advisories/GHSA-66hx-chf7-3332
nvd.nist.gov/vuln/detail/CVE-2026-41133

Code Behaviors & Features

Detect and mitigate CVE-2026-41133 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →