HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41234Published Modified CNA GitHub_M

CVE-2026-41234: Froxlor: BIND Zone File Injection via TXT Record Content

Froxlor is open source server administration software. Prior to version 2.3.7, the `DomainZones.add` API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives (`$INCLUDE`, `$GENERATE`) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron. This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records. Version 2.3.7 contains an updated patch.

Metrics

CVSS v3.1
7.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a BIND zone file injection vulnerability in Froxlor, an open source server administration panel. An authenticated user with DNS editing permissions can inject newline characters into TXT record content via the DomainZones.add API endpoint, breaking out of the intended record line in the generated zone file and inserting arbitrary BIND directives or DNS records. Successful exploitation lets an attacker tamper with DNS zone data at a high level of impact, potentially redirecting traffic, inserting rogue DNS records, or triggering dangerous BIND directives such as $INCLUDE or $GENERATE. HarborGuard is tracking this advisory for patch availability, as no fix version has been published yet.

HarborGuard Coverage

Detection

Detection for CVE-2026-41234 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Froxlor. Any image carrying a Froxlor version below 2.3.7 is flagged.

Available
Triage

HarborGuard scores this CVE at 7.6 HIGH using the published CVSS v3.1 vector, and triage surfacing is available with per-environment compliance policy weighting applied to prioritize findings. Alerts are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Froxlor ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically once an upstream fix is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable API endpoint is exposed over the network, so an attacker must be able to reach the Froxlor service remotely.

  • AuthenticationRequired

    The attacker must hold a valid low-privilege customer account with DNS editing permissions enabled; anonymous access is not sufficient.

  • Victim interactionNot required

    No victim interaction is needed; the attacker submits a crafted API request directly and the injected zone file is written by the DNS rebuild cron without any user action.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions, race requirements, or memory-layout dependencies on the attacker.

Blast Radius

  • Attacker inserts arbitrary DNS records (A, MX, CNAME) into the victim zone file, redirecting traffic for any hostname in the affected zone.
  • Attacker injects $INCLUDE or $GENERATE BIND directives, potentially causing BIND to read attacker-influenced files from disk or generate large numbers of synthetic records.
  • Zone integrity is broken at a high impact level, enabling ongoing manipulation of DNS responses served to all clients resolving the affected domain.
  • Availability of the DNS service is degraded at a low level, for example through malformed directives that cause BIND to fail zone loading.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-41234, HarborGuard re-evaluates the advisory on every ingest cycle and will surface a patched-image rebuild the moment Froxlor releases a remediated version. In the interim, compensating controls available within HarborGuard include network-policy isolation findings that can prompt teams to restrict access to the Froxlor API to trusted IP ranges only, reducing the pool of accounts able to reach the vulnerable endpoint. Teams can also use HarborGuard policy gates to block promotion of images carrying affected Froxlor versions into production pipelines until an upstream fix is confirmed. For customers with auto-remediation enabled, the full rebuild, regression-test run, and PR flow will trigger automatically once a fix version is published upstream.

See how HarborGuard automates this
Affected packages
  • froxlor / froxlor
    < 2.3.7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
References