Description
A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the malicious server to probe for open ports accessible from the client's network.
Published: 2026-02-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Assess Impact
AI Analysis

Impact

A flaw in the GVfs FTP backend allows a malicious FTP server to provide an arbitrary IP address and port in its passive mode (PASV) response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, enabling the server to probe for and discover open ports accessible from the client’s network. The attacker therefore obtains information about the client’s external connectivity and possible services, leading to an information disclosure risk.

Affected Systems

This vulnerability affects Red Hat Enterprise Linux distributions 10, 6, 7, 8, and 9. No further version granularity is provided, so all installations of these series that include the GVfs FTP backend are potentially impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk, and the EPSS score of less than 1% shows a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the client to connect to an attacker‑controlled FTP server, so the attack vector is client‑initiated and relies on the user establishing a connection to an untrusted server.

Generated by OpenCVE AI on April 17, 2026 at 14:20 UTC.

Remediation

Vendor Workaround

To mitigate this issue, users should avoid connecting to untrusted or unknown FTP servers when using applications that rely on the GVfs FTP backend. This vulnerability requires the client to interact with a malicious FTP server for exploitation.

OpenCVE Recommended Actions

  • Avoid connecting to untrusted or unknown FTP servers when using applications that rely on the GVfs FTP backend.
  • Apply Red Hat updates that address the GVfs FTP backend PASV trust issue as they become available.
  • If the FTP backend is not required, disable or restrict it using system configuration or firewall rules to block external PASV connections.

Generated by OpenCVE AI on April 17, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4513-1 gvfs security update
Ubuntu USN Ubuntu USN USN-8114-1 GVfs vulnerabilities
History

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 26 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the malicious server to probe for open ports accessible from the client's network.
Title Gvfs: gvfs ftp backend: information disclosure via untrusted pasv responses
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-918
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-02-26T18:07:15.054Z

Reserved: 2026-02-26T13:34:41.531Z

Link: CVE-2026-28295

cve-icon Vulnrichment

Updated: 2026-02-26T18:07:10.139Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T16:24:09.370

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-28295

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-26T00:00:00Z

Links: CVE-2026-28295 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses