HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41236Published Modified CNA GitHub_M

CVE-2026-41236: Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path

Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled home directory without verifying that the target path is not a symbolic link. If an attacker controls a shell-enabled customer account and can modify files inside the assigned home directory, the attacker can replace `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys`. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker-supplied key into root's authorized key file, resulting in root SSH access. Version 2.3.7 contains a patch.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A symlink-following privilege escalation affects Froxlor version 2.3.6, specifically in the root-owned SSH key synchronization routine for customer FTP users. The flaw is reachable over the network by any low-privilege authenticated customer account, with no additional interaction required from an administrator or other victim. Successful exploitation gives the attacker root SSH access to the host server. A patched-image rebuild at version 2.3.7 is available on HarborGuard for environments running the affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Froxlor 2.3.6. Any image carrying the affected package version is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 8.8 (HIGH) and is capable of weighting that score against each environment's compliance policy to determine priority. Triage routing directs the alert to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because version 2.3.7 contains the upstream fix, a patched-image rebuild at that version is available on HarborGuard for any environment found running 2.3.6. For customers who opt into auto-remediation, HarborGuard is capable of performing the rebuild, running a regression test suite, and opening a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Froxlor service over the network to authenticate and manipulate files in the assigned home directory; AV:N confirms this is a remotely exploitable path.

  • AuthenticationRequired

    A low-privilege customer account with shell access is sufficient; no administrative credentials are needed (PR:L).

  • Victim interactionNot required

    No administrator or other user needs to take any action; the privileged cron task runs automatically and triggers the key write without any victim involvement (UI:N).

  • Attack complexityDetail

    Exploitation is reliable and condition-free once the attacker has placed the symlink; no race conditions or special memory layout requirements apply (AC:L).

Blast Radius

  • The attacker's supplied SSH public key is written into /root/.ssh/authorized_keys, granting direct root SSH login to the host server.
  • With root access, the attacker reads all data on the host, including credentials, private keys, and customer data stored on the server.
  • With root access, the attacker modifies or deletes any file on the system, including Froxlor configuration, hosted web content, and database files.
  • The attacker can crash, reconfigure, or fully take over any service running on the host, including web, mail, and database processes managed by Froxlor.

How HarborGuard Handles This

Available on HarborGuard: detection is matched against all images carrying froxlor 2.3.6 within minutes of advisory ingestion, covering both upstream base images and internally built images. Where compliance policy permits, customers with auto-remediation enabled receive a rebuilt image at froxlor 2.3.7, a regression test run, and a PR opened against affected workloads; for HIGH-severity issues this flow typically completes within 90 minutes of CVE publication. Because this vulnerability allows a low-privilege tenant account to escalate to root via a predictable cron-driven write, organizations that cannot immediately rebuild should consider isolating customer home directories so symlinks cannot target system paths (for example, using a bind-mounted chroot or a filesystem that restricts symlink traversal across ownership boundaries), and reviewing whether shell-enabled customer accounts are necessary until the patch is applied.

See how HarborGuard automates this
Affected packages
  • froxlor / froxlor
    = 2.3.6
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References