Description
Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer with shell delegation enabled can submit an arbitrary shell such as `/bin/bash` even when the panel UI only offers more restricted choices. In deployments that use the default `nssextrausers` integration, the attacker-controlled shell is then propagated into the system account database, leading to real host shell access. Version 2.3.7 fixes the issue.
Published: 2026-06-04
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Froxlor 2.3.6 allows an authenticated customer with shell delegation to assign any shell, bypassing the configured whitelist of system.available_shells. This authorization bypass enables the attacker to specify shells such as /bin/bash, which are then applied to the system account database, granting the user real shell access on the host. The weakness is an improper authorization check, identified as CWE-863.

Affected Systems

The vulnerability affects Froxlor by froxlor version 2.3.6. The fix is contained in release 2.3.7, and earlier versions remain susceptible.

Risk and Exploitability

The flaw carries a CVSS score of 8.6, indicating high severity. EPSS data is unavailable, but the lack of a KEV listing suggests no known public exploits. Because the attacker must be authenticated as a customer and shell delegation must be enabled, the risk is limited to environments where such delegation is enabled and the UI does not enforce the allowed shell list on the server side. Nonetheless, once exploited, the attacker gains system shell access, representing a major confidentiality, integrity, and availability threat.

Generated by OpenCVE AI on June 4, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Froxlor to version 2.3.7 or later, which implements the missing server‑side shell whitelist enforcement.
  • Audit existing FTP user accounts and remove any unauthorized shells that may have been assigned through the bypass, ensuring they align with system.available_shells.
  • Verify that any new FTP accounts created after the upgrade are restricted to shells defined in system.available_shells, confirming that the authorization check is active.

Generated by OpenCVE AI on June 4, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gcv3-5v9q-fmhh Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement
History

Thu, 04 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Froxlor
Froxlor froxlor
Vendors & Products Froxlor
Froxlor froxlor

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer with shell delegation enabled can submit an arbitrary shell such as `/bin/bash` even when the panel UI only offers more restricted choices. In deployments that use the default `nssextrausers` integration, the attacker-controlled shell is then propagated into the system account database, leading to real host shell access. Version 2.3.7 fixes the issue.
Title Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P'}

Subscriptions

Froxlor Froxlor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T17:50:09.899Z

Reserved: 2026-04-18T03:47:03.134Z

Link: CVE-2026-41235

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-04T19:16:29.153

Modified: 2026-06-05T15:09:21.430

Link: CVE-2026-41235

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T20:30:15Z

Weaknesses