CVE-2026-41236 in Froxlor
Summary
by MITRE • 06/04/2026
Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled home directory without verifying that the target path is not a symbolic link. If an attacker controls a shell-enabled customer account and can modify files inside the assigned home directory, the attacker can replace `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys`. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker-supplied key into root's authorized key file, resulting in root SSH access. Version 2.3.7 contains a patch.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/05/2026
This vulnerability resides in Froxlor version 2.3.6 where a critical symlink-following flaw exists in the SSH key synchronization mechanism used for customer FTP users. The flaw occurs within a root-owned process that handles SSH key management, specifically when provisioning public keys to customer accounts. The system appends public keys to the `~/.ssh/authorized_keys` file without performing proper validation to ensure the target path is not a symbolic link, creating a dangerous privilege escalation vector. The vulnerability is particularly concerning because it operates within a privileged context where the system assumes the target path is legitimate and safe for modification.
The technical implementation of this flaw stems from inadequate path validation during the SSH key provisioning process. When Froxlor's privileged cron task executes the key synchronization, it directly appends content to the authorized_keys file without checking if the path points to a symbolic link. This behavior violates fundamental security principles for privilege escalation prevention and creates an attack surface where unprivileged users can manipulate the system's trust model. The vulnerability is classified as a symlink following issue that can be exploited through a well-known attack pattern, similar to CWE-367 and CWE-59.
The operational impact of this vulnerability is severe as it allows attackers with shell access to a customer account to achieve root privileges through a carefully crafted symlink attack. The attack requires the attacker to control a shell-enabled customer account and have write permissions within the assigned home directory. Once the symlink is created pointing from `~/.ssh/authorized_keys` to `/root/.ssh/authorized_keys`, any subsequent SSH key synchronization performed by the privileged Froxlor process will append the attacker's public key to the root's authorized keys file. This results in persistent root access to the server, enabling full system compromise and potentially allowing attackers to establish backdoors, exfiltrate data, or disrupt services.
This vulnerability demonstrates a classic privilege escalation pattern that aligns with ATT&CK technique T1068, where an attacker exploits a system process with elevated privileges to gain root access. The flaw represents a failure in the principle of least privilege and proper input validation, as the system does not validate the integrity of the target file path before modification. The patch implemented in version 2.3.7 addresses this by ensuring proper path validation and preventing the system from following symbolic links during the SSH key provisioning process. Organizations should implement immediate mitigation strategies including upgrading to version 2.3.7 or later, reviewing all customer accounts for potential symlink manipulation, and monitoring for unauthorized file modifications in SSH-related directories to prevent exploitation of this critical vulnerability.