CVE-2026-52793 is a high-severity improper authentication vulnerability in froxlor/froxlor (composer), affecting versions < 2.3.7. It is fixed in 2.3.7.
Summary Froxlor's API authentication (FroxlorRPC::validateAuth) does not enforce Two-Factor Authentication. When a user (admin or customer) enables 2FA on their account, the web UI correctly requires a TOTP code after password verification. However, the API accepts requests authenticated with only an API key and secret, no TOTP challenge is issued, checked, or required. An attacker who obtains a leaked API key+secret for a 2FA-protected account has full access to all API operations without providing a second factor. Affected Code Web UI, 2FA enforced (index.php:82-149): API, 2FA absent (lib/Froxlor/Api/FroxlorRPC.php:75-105): There are zero references to 2FA, TOTP, type2fa, or FroxlorTwoFactorAuth in the entire lib/Froxlor/Api/ directory: PoC Environment Froxlor 2.3.5, clean Docker install (Debian Bookworm, PHP 8.2, Apache 2.4) API enabled (api.enabled=1) Admin account has 2FA enabled (type2fa=1, TOTP configured) Admin has an API key Step 1: Confirm 2FA blocks web UI login Result: Redirect to index.php?showmessage=4, 2FA page. Login is NOT completed. The user cannot access the dashboard without entering a TOTP code. Step 2: Authenticate via API, no TOTP required Result: HTTP 200 with full customer listing: No TOTP code was provided. No 2FA prompt was returned. Full access granted. Step 3: Access additional sensitive resources All of these succeed without any 2FA challenge: 165 API functions are accessible, including write operations (Customers.update, Domains.add, Ftps.add, etc.). Automated PoC Script Usage: python3 poc.py https://panel.example.com APIKEY APISECRET Impact When a user enables 2FA, they expect all access to their account requires a second factor. The API completely bypasses this expectation: Customer data: PII (name, email, address) readable and modifiable Domains: Full control over domains, subdomains, DNS records Email accounts: Create, read, delete email accounts and forwarders FTP accounts: Access home directory paths and credentials MySQL databases: Full database management SSL certificates: Read private keys, modify certificate bindings 165 API functions: Including all write operations API keys can be leaked through database backups, log files, config file exposure (GHSA-34qg-65m4-f23m demonstrated DB credential leaks), or compromised automation scripts. Users who enabled 2FA specifically to protect against credential compromise are not protected. Comparison with CVE-2023-3173 CVE-2023-3173 ("2FA Bypass by Brute Force") was accepted as Critical ($60 bounty) and fixed by adding rate limiting to 2FA verification. This finding is architecturally different, the API authentication path has no 2FA logic at all. No brute force is needed; the second factor is simply never requested. Suggested Fix Add 2FA verification to FroxlorRPC::validateAuth(). When the authenticated user has type_2fa != 0, require a TOTP code as an additional API parameter: Alternatively, disable API key creation for accounts with 2FA enabled, or require 2FA re-verification when generating new API keys.
The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.
CVE-2026-52793 has a CVSS score of 8.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (2.3.7). Upgrading removes the vulnerable code path.
composer
froxlor/froxlor (< 2.3.7)froxlor/froxlor → 2.3.7 (composer)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-52793 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-52793 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-52793 in your environment →Upgrade froxlor/froxlor to 2.3.7 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-52793 is a high-severity improper authentication vulnerability in froxlor/froxlor (composer), affecting versions < 2.3.7. It is fixed in 2.3.7. The application does not adequately verify the identity of a user, device, or process before granting access.
CVE-2026-52793 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
froxlor/froxlor (composer) versions < 2.3.7 is affected.
Yes. CVE-2026-52793 is fixed in 2.3.7. Upgrade to this version or later.
Whether CVE-2026-52793 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade froxlor/froxlor to 2.3.7 or later.