froxlor/froxlor

CVE-2026-41235

CVE-2026-41235 is a high-severity incorrect authorization vulnerability in froxlor/froxlor (composer), affecting versions = 2.3.6. It is fixed in 2.3.7.

Key facts
CVSS score
8.8
High
Attack vector
Network
Issuing authority
GitHub Advisory Database
Affected package
froxlor/froxlor
Fixed in
2.3.7
Disclosed
2026

Summary

Summary Froxlor 2.3.6 lets administrators configure system.availableshells as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer with shell delegation enabled can submit an arbitrary shell such as /bin/bash even when the panel UI only offers more restricted choices. In deployments that use the default nssextrausers integration, the attacker-controlled shell is then propagated into the system account database, leading to real host shell access. Details The customer-facing FTP account page builds the shell selector from system.availableshells, which shows that the product intends the setting to act as the authorization boundary: The request handler forwards posted form data directly into the FTP API command implementation: On the server side, Ftps::add() and Ftps::update() only perform generic shell string validation. They do not verify that the submitted shell belongs to system.availableshells: The validated shell is stored into ftpusers.shell and later consumed by the root-owned cron task that rebuilds NSS extrausers files: Because the default installer configuration sets system.nssextrausers=1, and the shipped Debian/Bookworm configuration enables extrausers in nsswitch.conf, the attacker-controlled shell becomes the effective login shell of the generated system user on standard supported deployments. PoC An attacker needs a normal customer account and a deployment where customer shell delegation is enabled for that customer. Relevant runtime prerequisites: system.allowcustomershell=1 the attacking customer has shellallowed=1 the deployment uses system.nssextrausers=1 with the shipped libnss-extrausers integration Froxlor requires a valid CSRF token for POST requests, so the attacker performs the exploit from an authenticated session. Complete PoC flow: Log in as a customer and obtain a valid csrftoken. Identify one FTP account owned by that customer. Submit an edit request that sets an arbitrary shell outside the administrator-approved system.availableshells list: Wait for Froxlor's master cron to process the queued REBUILDNSSUSERS task. Result: the request is accepted even if /bin/bash is not present in system.availableshells ftpusers.shell is updated to /bin/bash /var/lib/extrausers/passwd is regenerated with /bin/bash as the FTP user's login shell the attacker can then authenticate to the host using that FTP user's credentials and obtain an interactive shell Impact This issue lets a low-privileged customer bypass an administrator-defined authorization boundary and promote an FTP-only account into a real shell account. On shared-hosting systems managed by Froxlor, that materially changes the trust model and can expose the host to lateral movement, local privilege-escalation follow-on attacks, data theft from colocated services, and persistence on the server. Because the vulnerable flow is executed through the normal authenticated web interface and a root-owned provisioning task later materializes the chosen shell at the operating-system level, the vulnerability is stronger than a UI-only restriction bypass.

Impact

What is incorrect authorization?

The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.

Severity and exposure

CVE-2026-41235 has a CVSS score of 8.8 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.

A fixed version is available (2.3.7). Upgrading removes the vulnerable code path.

Affected versions

composer

  • froxlor/froxlor (= 2.3.6)

Security releases

  • froxlor/froxlor → 2.3.7 (composer)
Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.

Kodem's runtime-powered SCA identifies whether CVE-2026-41235 is reachable in your applications. Explore open-source security for your team.

See if CVE-2026-41235 is reachable in your applications. Get a demo

Already deployed Kodem? See CVE-2026-41235 in your environment

Remediation advice

Upgrade froxlor/froxlor to 2.3.7 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently asked questions about CVE-2026-41235

What is CVE-2026-41235?

CVE-2026-41235 is a high-severity incorrect authorization vulnerability in froxlor/froxlor (composer), affecting versions = 2.3.6. It is fixed in 2.3.7. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.

How severe is CVE-2026-41235?

CVE-2026-41235 has a CVSS score of 8.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.

Which versions of froxlor/froxlor are affected by CVE-2026-41235?

froxlor/froxlor (composer) versions = 2.3.6 is affected.

Is there a fix for CVE-2026-41235?

Yes. CVE-2026-41235 is fixed in 2.3.7. Upgrade to this version or later.

Is CVE-2026-41235 exploitable, and should I be worried?

Whether CVE-2026-41235 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo

What actually determines whether CVE-2026-41235 is exploitable, and how bad it is?

Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.

How do I fix CVE-2026-41235?

Upgrade froxlor/froxlor to 2.3.7 or later.

Stop the waste.
Protect your environment with Kodem.