Description
Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled home directory without verifying that the target path is not a symbolic link. If an attacker controls a shell-enabled customer account and can modify files inside the assigned home directory, the attacker can replace `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys`. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker-supplied key into root's authorized key file, resulting in root SSH access. Version 2.3.7 contains a patch.
Published: 2026-06-04
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Froxlor version 2.3.6 contains a symlink‑following vulnerability in the SSH key synchronization routine for customer FTP accounts. The code appends user supplied keys to a file named ~/.ssh/authorized_keys without checking whether the target is a symbolic link. Based on the description, it is inferred that the attacker must have local shell access to the customer account in order to modify files in the home directory. The weakness is a classic path traversal flaw (CWE‑59) that allows an attacker with such access to point the ~/.ssh/authorized_keys file to /root/.ssh/authorized_keys. When the privileged Froxlor cron task later synchronizes keys, it writes the attacker’s key into the root authorized_keys file, thereby granting the attacker root login access over SSH.

Affected Systems

The flaw exists in Froxlor 2.3.6. Version 2.3.7 includes a patch that removes the unchecked symlink resolution. The vulnerability is limited to the SSH key sync process used for regular customer FTP users, and it requires that the attacker already has a writable shell account for the customer.

Risk and Exploitability

With a CVSS score of 8.8 the potential impact is very high, and while an EPSS score is not available, the attack does not require privileged network exposure; it relies on a local customer account that can be compromised via standard user credential weaknesses. The vulnerability is not listed in the CISA KEV catalog, but its high severity and the ease of local exploitation make it a serious risk for systems that run Froxlor without the recent patch.

Generated by OpenCVE AI on June 4, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Froxlor to version 2.3.7 or later to eliminate the unchecked symlink check in SSH key synchronization.
  • Restrict file system permissions on customer home directories so that the ~/.ssh subdirectory cannot be modified or replaced by a symlink from within the user’s writable space.
  • If an immediate upgrade is not feasible, disable the Froxlor cron job that performs the root SSH key synchronization or remove the privilege escalation code from that job until a patch can be applied.

Generated by OpenCVE AI on June 4, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mq5v-pxpm-8jw2 Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path
History

Thu, 04 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Froxlor
Froxlor froxlor
Vendors & Products Froxlor
Froxlor froxlor

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled home directory without verifying that the target path is not a symbolic link. If an attacker controls a shell-enabled customer account and can modify files inside the assigned home directory, the attacker can replace `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys`. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker-supplied key into root's authorized key file, resulting in root SSH access. Version 2.3.7 contains a patch.
Title Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Froxlor Froxlor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T17:52:10.066Z

Reserved: 2026-04-18T03:47:03.134Z

Link: CVE-2026-41236

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T19:16:29.327

Modified: 2026-06-04T19:16:29.327

Link: CVE-2026-41236

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T20:30:16Z

Weaknesses