CVE-2026-41236: Froxlor 2.3.6 Symlink Privilege Escalation to Root
Froxlor version 2.3.6 contains a privilege escalation vulnerability in its SSH key synchronization mechanism for FTP users. An attacker with shell access to a customer account can exploit a symlink-following flaw to redirect the root-owned SSH key provisioning process into writing unauthorized keys to the system root account, granting SSH access as root. This vulnerability requires prior authentication and file system access on the affected system but results in complete system compromise.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-59
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled home directory without verifying that the target path is not a symbolic link. If an attacker controls a shell-enabled customer account and can modify files inside the assigned home directory, the attacker can replace `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys`. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker-supplied key into root's authorized key file, resulting in root SSH access. Version 2.3.7 contains a patch.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-41236 is a classic symlink-following vulnerability (CWE-59) in Froxlor's SSH key synchronization routine. The root-owned cron task that provisions SSH keys for customer FTP users appends public keys to ~/.ssh/authorized_keys without validating that the target path is not a symbolic link. An authenticated attacker with shell access and home directory write permissions can replace ~/.ssh/authorized_keys with a symlink pointing to /root/.ssh/authorized_keys. When the privileged synchronization task runs, it unwittingly appends the attacker's SSH public key directly into root's authorized_keys file, enabling SSH login as root. The flaw stems from insufficient path validation before file operations in a privileged context.
Business impact
Successful exploitation results in complete system compromise via unauthenticated root SSH access following initial account compromise. Attackers can extract sensitive hosting data, modify customer configurations, access other hosted environments, or pivot to additional infrastructure. For hosting providers running Froxlor, this vulnerability affects multi-tenant isolation and customer data security. Even though exploitation requires a shell-enabled customer account—a less common configuration in modern hosting—the impact is critical because it turns a customer account breach into direct infrastructure control. This is particularly severe in environments serving business customers who may have compliance obligations.
Affected systems
Froxlor version 2.3.6 is affected. Version 2.3.7 contains the patch. Vulnerability impact is limited to installations where customer accounts have shell access enabled, as the attack requires the ability to execute commands and modify files in the customer home directory. Hosting providers and system administrators running Froxlor for multi-tenant server administration should audit their deployments immediately.
Exploitability
Exploitability is moderate to high in vulnerable configurations. The attack requires two conditions: (1) an attacker must first compromise or gain access to a shell-enabled customer account, and (2) they must have write access to their home directory—typical in standard Linux configurations. The actual symlink replacement and key injection requires no special privileges or timing precision; the attack succeeds reliably when the cron task next runs. The CVSS score of 8.8 reflects the requirement for prior authentication (lowering from critical) but recognizes the severe impact of resultant root access. This is not a wormable or massively exploitable vulnerability in the wild, but represents a high-value target for attackers already inside a compromised hosting infrastructure.
Remediation
Upgrade Froxlor to version 2.3.7 or later. The patch implements proper symlink detection and path validation before writing to SSH key files in privileged contexts. Additionally, organizations should review whether shell access is necessary for all customer accounts; disabling shell access for FTP-only users substantially reduces attack surface. Audit logs and file system monitoring can detect symlink creation attempts in customer home directories as a compensating control pending patching.
Patch guidance
Apply Froxlor version 2.3.7 as soon as feasible. Verify the patch is installed by checking the Froxlor version number in the administrative interface or via the package manager on the host. Test the update in a non-production environment first to ensure compatibility with your hosting configuration. Because the vulnerability affects SSH key provisioning, monitor SSH access logs for anomalous root login attempts during and after the patching window to confirm the issue is resolved.
Detection guidance
Look for unexpected symbolic links in customer home directories, particularly ~/.ssh/authorized_keys pointing to system paths. Monitor cron job execution logs for any errors or warnings during SSH key synchronization. Audit /root/.ssh/authorized_keys for unexpected or recently added keys, particularly any added around the time a customer account was created or modified. Network intrusion detection should flag unusual SSH root login attempts from internal customer-owned addresses. File integrity monitoring on sensitive SSH configuration files can alert to unauthorized modifications.
Why prioritize this
This vulnerability merits urgent attention because it enables trivial privilege escalation from customer to root once a customer account is compromised. For hosting providers, this is a critical infrastructure risk; for self-hosted Froxlor installations serving multiple users, this undermines the entire multi-user isolation model. While not currently in the CISA KEV catalog, the combination of high CVSS (8.8), clear attack chain, and ease of exploitation in vulnerable configurations makes this a priority for patching. Organizations with shell-enabled customer accounts should patch within days, not weeks.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects: Network-accessible attack vector (cron task runs as root, reachable via FTP/shell), low attack complexity (no special conditions beyond symlink replacement), requirement for low privilege (customer account), no user interaction, unchanged scope, and high confidentiality, integrity, and availability impact (root compromise). The score appropriately captures the severity of the impact while acknowledging that initial account compromise is a prerequisite; this is not a zero-click or unauthenticated remote code execution.
Frequently asked questions
Does this vulnerability affect FTP users without shell access?
No. The attack requires shell access to execute commands and modify files. If you have disabled shell access for all customer accounts, you are not vulnerable to this exploit chain, though you should still upgrade to eliminate the code flaw.
Can this be exploited remotely without already having a customer account?
Not directly. An attacker must first compromise or possess valid credentials for a shell-enabled customer account. However, once inside, exploitation is straightforward and requires no additional authentication or special privileges.
What should I do if I cannot patch immediately?
Disable shell access for all customer accounts as an emergency mitigation. Remove execute permissions from customer home directories if operationally feasible. Implement strict SSH access controls limiting root SSH login to specific trusted IPs only. Monitor /root/.ssh/authorized_keys and SSH logs continuously for signs of exploitation.
Is there a way to detect if this vulnerability has already been exploited on my system?
Review SSH login logs for any root logins from unexpected sources. Examine /root/.ssh/authorized_keys for unknown or recently added keys with timestamps correlating to customer account activity. Check for symbolic links in customer ~/.ssh directories using tools like find. Correlate file system events with cron task execution times.
This analysis is provided for informational and educational purposes. While the technical details are factual and based on the published CVE record, organizations should verify patch applicability and compatibility with their specific Froxlor deployment and environment. No exploit code or weaponized proof-of-concept is provided. Always test patches in non-production environments and follow your organization's change management procedures. SEC.co does not provide warranties regarding the accuracy, completeness, or timeliness of this intelligence and recommends consulting official Froxlor security advisories and your vendor for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11322MEDIUMHermes WebUI Path Traversal Vulnerability – Credential Exposure Risk
- CVE-2026-40861MEDIUMApache Airflow Path Traversal – Log Directory Symlink and Directory Escape Vulnerability
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction