Cookie Session Not Expiring Even After Deleting the users in pyload/pyload


Reported on

Jan 5th 2023


The session is not expiring in another browser if we delete the user.

Proof of Concept

  1. Create two users with an admin role for the POC
  2. Login in two different browsers Firefox (user A ) and Chrome (user B) respectively
  3. Go the settings->users and delete user B from user A Firefox browser
  4. User B cookie is still logged in in Chrome and can still access everything


Even after deleting the user he/she can create again the user for himself/herself, and can perform everything.

We are processing your report and will contact the pyload team within 24 hours. 3 months ago
We have contacted a member of the pyload team and are waiting to hear back 3 months ago
pyload/pyload maintainer validated this vulnerability 3 months ago
Kiran Ghimire has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pyload/pyload maintainer marked this as fixed in 0.5.0b3.dev36 with commit c03571 3 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
pyload/pyload maintainer published this vulnerability 3 months ago
to join this conversation