HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41235Published Modified CNA GitHub_M

CVE-2026-41235: Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement

Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer with shell delegation enabled can submit an arbitrary shell such as `/bin/bash` even when the panel UI only offers more restricted choices. In deployments that use the default `nssextrausers` integration, the attacker-controlled shell is then propagated into the system account database, leading to real host shell access. Version 2.3.7 fixes the issue.

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authorization bypass vulnerability in Froxlor 2.3.6 allows an authenticated customer to assign an arbitrary shell (such as /bin/bash) to an FTP user by circumventing server-side enforcement of the configured shell whitelist. The attack is reachable over the network and requires only a low-privilege customer account with shell delegation enabled. In deployments using the default nssextrausers integration, successful exploitation grants real host shell access, enabling full read, write, and availability impact on both the affected and downstream systems. Version 2.3.7 fixes the issue, and a patched-image rebuild at that version is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-41235 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images containing Froxlor 2.3.6. Any image carrying the affected version is flagged immediately in the pipeline scan results.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.6 (HIGH) and weighting it against each environment's compliance policy to determine urgency and routing. Triage results are surfaced to the appropriate team inbox within each customer organization based on their configured notification rules.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainers ship a corrected release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point, where compliance policy permits.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Froxlor panel over the network to submit the malicious FTP account add or edit request.

  • AuthenticationRequired

    Any low-privilege customer account with shell delegation enabled is sufficient; no administrative credentials are needed.

  • Victim interactionNot required

    No victim action is needed; the attacker submits the crafted request directly to the server-side handler.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the attacker has a qualifying account; no race conditions or special environmental factors apply.

Blast Radius

  • Reads files and data accessible to the host shell user created via the attacker-controlled FTP account, including configuration files containing credentials.
  • Modifies or deletes files on the host system within the permission scope of the escalated shell user.
  • Crashes or degrades host services by consuming resources or corrupting files reachable by the shell user.
  • Propagates compromise to systems reachable from the host, given that both the affected system and any networked downstream systems carry high subsidiary confidentiality, integrity, and availability impact per the CVSS v4 vector.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-41235 in images running Froxlor 2.3.6 is active across all connected registries and CI pipelines, with ingestion latency of minutes from advisory publication. Because no upstream fix version exists at this time, HarborGuard will monitor the advisory on every ingest cycle and make a rebuilt image available at the corrected version the moment it is published. In the interim, compensating controls worth evaluating include network-policy rules that restrict access to the Froxlor panel to trusted IP ranges, disabling shell delegation in customer account settings if it is not operationally required, and egress filtering on the host to limit lateral movement from any shell obtained through this path. For customers who opt into auto-remediation, the patched rebuild, regression test run, and PR against affected workloads will trigger automatically upon upstream fix publication, where compliance policy permits.

See how HarborGuard automates this
Affected packages
  • froxlor / froxlor
    = 2.3.6
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
References