CVE-2026-41236

Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled home directory without verifying that the target path is not a symbolic link. If an attacker controls a shell-enabled customer account and can modify files inside the assigned home directory, the attacker can replace `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys`. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker-supplied key into root's authorized key file, resulting in root SSH access. Version 2.3.7 contains a patch.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/froxlor/froxlor/releases/tag/2.3.7
https://github.com/froxlor/froxlor/security/advisories/GHSA-mq5v-pxpm-8jw2
https://github.com/froxlor/froxlor/security/advisories/GHSA-mq5v-pxpm-8jw2

Configurations

No configuration.

History

08 Jun 2026, 16:16

Type	Values Removed	Values Added
References	~~() https://github.com/froxlor/froxlor/security/advisories/GHSA-mq5v-pxpm-8jw2 -~~	() https://github.com/froxlor/froxlor/security/advisories/GHSA-mq5v-pxpm-8jw2 -

04 Jun 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-04 19:16

Updated : 2026-06-08 16:16

NVD link : CVE-2026-41236

Mitre link : CVE-2026-41236

CVE.ORG link : CVE-2026-41236

JSON object : View

Products Affected

No product.

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

8.8 /10