CVE-2026-41235 in Froxlor
Summary
by MITRE • 06/04/2026
Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer with shell delegation enabled can submit an arbitrary shell such as `/bin/bash` even when the panel UI only offers more restricted choices. In deployments that use the default `nssextrausers` integration, the attacker-controlled shell is then propagated into the system account database, leading to real host shell access. Version 2.3.7 fixes the issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/06/2026
This vulnerability exists within Froxlor version 2.3.6 where the administrative interface allows administrators to configure a whitelist of approved shells through the system.available_shells parameter. The software implements a client-side restriction mechanism that limits user interface options to predefined restricted shells, but fails to enforce this whitelist at the server-side processing level. When administrators enable shell delegation for customers, authenticated users can bypass the frontend restrictions by submitting arbitrary shell values directly through API requests or form submissions. The vulnerability stems from a failure in input validation and access control enforcement, representing a classic privilege escalation flaw where user-supplied data is not properly sanitized before being processed. This issue directly relates to CWE-20 Input Validation and CWE-791 Insufficiently Protected Credentials, as the system accepts unvalidated user input without proper authorization checks.
The operational impact of this vulnerability is significant as it enables authenticated customers to gain unauthorized access to system shells beyond their intended restrictions. When deployments utilize the default nssextrausers integration, the attacker-controlled shell value gets propagated into the system account database, effectively allowing malicious users to execute commands with elevated privileges. This creates a direct path to remote code execution and potential full system compromise, particularly in environments where FTP user accounts are configured with shell access. The vulnerability demonstrates a critical flaw in the principle of least privilege enforcement, where the system fails to validate that user-provided shell values conform to the established security policies. This type of vulnerability aligns with ATT&CK technique T1059 Command and Scripting Interpreter, specifically targeting the execution of shell commands through compromised user accounts.
The fix implemented in version 2.3.7 addresses this by enforcing the system.available_shells whitelist at the server-side processing level for both add and edit operations of FTP accounts. This ensures that any shell value submitted through administrative requests must match the configured approved list before being stored in the system account database. The mitigation strategy involves strengthening input validation mechanisms to prevent arbitrary shell assignment and implementing proper access control checks that validate user-provided data against established security policies. Organizations should verify that their Froxlor installations have been updated to version 2.3.7 or later, and should conduct thorough security audits to ensure that no unauthorized shell assignments have occurred. Additionally, system administrators should review their nssextrausers integration configurations and implement monitoring for suspicious shell assignment patterns to detect potential exploitation attempts.