Description
A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts.
Published: 2026-02-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: command injection leading to potential arbitrary code execution
Action: Implement Workaround
AI Analysis

Impact

A flaw in the FTP GVfs backend allows an attacker to inject arbitrary FTP commands by supplying file paths that contain carriage return and line feed sequences. The unsanitized CRLF characters terminate intended commands and start new ones, enabling an attacker to execute arbitrary FTP commands and potentially achieve code execution on the target system. This vulnerability is categorized as CWE-93, reflecting unsanitized input that can control network protocol commands.

Affected Systems

Red Hat Enterprise Linux 6, 7, 8, 9, and 10 are affected when the GVfs FTP backend is present. No specific downstream package versions are listed, so all current installations of these operating systems carrying the default GVfs FTP support are vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity while the EPSS score of less than 1% suggests a very low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is remote: an attacker can connect to the target’s FTP service or supply a crafted FTP URL to trigger the CRLF injection. The exploitation requires the ability to supply a file path to the FTP backend; once achieved, arbitrary FTP commands can be injected, potentially leading to code execution.

Generated by OpenCVE AI on April 17, 2026 at 14:20 UTC.

Remediation

Vendor Workaround

To reduce the risk associated with this vulnerability, users should avoid connecting to untrusted FTP servers or opening FTP links from unverified sources. Implementing network-level restrictions, such as firewall rules, to limit outbound connections to only trusted FTP servers can further mitigate potential exposure. If the GVfs FTP backend is not essential for daily operations, consider removing or disabling packages that provide this functionality, though this action may affect other desktop environment features that rely on GVfs for FTP access.

OpenCVE Recommended Actions

  • Avoid connecting to untrusted FTP servers or opening FTP links from unverified sources.
  • Implement firewall rules to restrict outbound connections to only trusted FTP servers.
  • If the GVfs FTP backend is not required, remove or disable the associated packages to eliminate the vulnerable functionality.

Generated by OpenCVE AI on April 17, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4513-1 gvfs security update
Ubuntu USN Ubuntu USN USN-8114-1 GVfs vulnerabilities
History

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 26 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts.
Title Gvfs: ftp gvfs backend: arbitrary ftp command injection via crlf sequences in file paths
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-93
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-02-26T18:23:09.297Z

Reserved: 2026-02-26T13:34:41.532Z

Link: CVE-2026-28296

cve-icon Vulnrichment

Updated: 2026-02-26T18:23:04.240Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T16:24:09.580

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-28296

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-26T00:00:00Z

Links: CVE-2026-28296 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses