Description
ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.
Published: 2026-06-24
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path handling flaw in ProFTPD versions 1.3.9b through 1.3.10rc2 allows an authenticated FTP user to prefix a file path with /proc/self/root in an RNFR command. The vulnerability exploits unresolved symlink components in dir_canonical_path(), causing dir_check() to perform lexical comparisons that do not match any configured Directory block. The result is that the attacker can rename and subsequently download files located in directories protected by a DenyAll ACL. The weakness is a classic path traversal (CWE‑59) that leads to a breach of confidentiality, integrity, and potentially availability if the attacker modifies file permissions or contents. Based on the description, it is inferred that the exploitation path is straightforward because it requires only a single crafted RNFR command after authentication.

Affected Systems

The affected vendor is ProFTPD Project, specifically the ProFTPD server versions 1.3.9b and 1.3.10rc2. Versions older than 1.3.9b or newer than 1.3.10rc2 are not confirmed to be vulnerable. All user sessions that employ the DefaultRoot directive (chroot) are not impacted, as chroot confines /proc/self/root to the user's chrooted environment.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, and the EPSS score is not available, suggesting limited publicly known exploitation data. The lack of a listing in the CISA KEV catalog further indicates that no widespread exploitation has been reported. An attacker must first authenticate to the FTP server before issuing a crafted RNFR command; based on the description, it is inferred that the exploitation path is relatively low complexity, raising the likelihood of successful attacks. This vulnerability allows bypass of ACL restrictions to access protected files, posing a significant risk to any environment running the affected ProFTPD releases.

Generated by OpenCVE AI on June 24, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest ProFTPD security update that addresses the path traversal flaw, or upgrade to ProFTPD 1.3.11 or later.
  • If an upgrade is not immediately feasible, configure the DefaultRoot directive to chroot user sessions to their home directories, effectively eliminating the ability to resolve /proc/self/root to the system root.
  • Configure your FTP server to log all RNFR commands containing /proc/self/root and set up alerts for any such usage, enabling rapid detection of attempted bypass.

Generated by OpenCVE AI on June 24, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Proftpd Project
Proftpd Project proftpd
Vendors & Products Proftpd Project
Proftpd Project proftpd

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.
Title ProFTPD ACL Bypass via /proc/self/root Path Prefix in RNFR
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Proftpd Project Proftpd
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T15:01:06.310Z

Reserved: 2026-03-31T20:40:15.618Z

Link: CVE-2026-35025

cve-icon Vulnrichment

Updated: 2026-06-24T15:00:35.437Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T17:15:04Z

Weaknesses
  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')