Cookie Session Not Expiring Even After Deleting the users in pyload/pyload


Reported on

Jan 5th 2023


The session is not expiring in another browser if we delete the user.

Proof of Concept

  1. Create two users with an admin role for the POC
  2. Login in two different browsers Firefox (user A ) and Chrome (user B) respectively
  3. Go the settings->users and delete user B from user A Firefox browser
  4. User B cookie is still logged in in Chrome and can still access everything


Even after deleting the user he/she can create again the user for himself/herself, and can perform everything.

We are processing your report and will contact the pyload team within 24 hours. a year ago
We have contacted a member of the pyload team and are waiting to hear back a year ago
pyload/pyload maintainer validated this vulnerability a year ago
Kiran Ghimire has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pyload/pyload maintainer marked this as fixed in 0.5.0b3.dev36 with commit c03571 a year ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
pyload/pyload maintainer published this vulnerability a year ago
to join this conversation