pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at …

pyLoad, an open-source Python download manager, has a critical authorization vulnerability in versions up to 0.5.0b3.dev97. The application caches user roles and permissions in sessions at login and continues using these cached values even after administrators change user privileges in the database. This allows logged-in users to retain revoked privileges until logout or session expiry, enabling unauthorized privileged actions. The issue affects core authorization and session consistency mechanisms and cannot be resolved through optional security features. A fix has been implemented in commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1.