CVE-2026-41231
Received Received - Intake
Symlink Ownership Escalation in Froxlor DataDump Export Path

Publication date: 2026-04-23

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-23
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-23
EPSS Evaluated
2026-06-14
NVD
CVE-2026-41231
EUVD
EUVD-2026-25182
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
froxlor froxlor to 2.3.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41231 is a high-severity vulnerability in the Froxlor server administration software affecting versions prior to 2.3.6. The issue arises because the DataDump.add() function constructs export destination paths from user input without enforcing symlink validation that is applied elsewhere. This allows an attacker to create a symlink inside their document root pointing to arbitrary directories outside their home directory.

When the ExportCron job runs as root, it executes a recursive chown command on the resolved export directory path. Because chown follows symlinks, the attacker can cause ownership of arbitrary directories (including other customers' directories or critical system directories like /etc) to be changed to their user and group IDs.

This vulnerability is due to missing the $fixed_homedir parameter in DataDump.add()’s call to FileDir::makeCorrectDir(), bypassing symlink validation designed to prevent directory traversal outside the customer's home directory.

Executive Summary

CVE-2026-41231 is a high-severity vulnerability in the Froxlor hosting panel affecting versions up to 2.1.0. The issue arises because the DataDump.add() function constructs export destination paths from user input without enforcing symlink validation that is applied elsewhere. This allows an attacker to create a symlink inside their document root pointing to arbitrary directories outside their home directory.

When the ExportCron job runs as root, it executes a recursive chown command on the resolved export directory path. Because chown follows symlinks, the attacker can cause ownership of arbitrary directories (including other customers’ directories or critical system directories like /etc) to be changed to their user and group IDs.

This vulnerability is due to missing symlink validation in DataDump.add() by not passing the $fixed_homedir parameter to FileDir::makeCorrectDir(), which bypasses checks preventing directory traversal outside the customer’s home directory.

Impact Analysis

This vulnerability can have severe impacts including:

  • Horizontal privilege escalation: attacker gains ownership of other customers’ web files, database exports, and email data.
  • Vertical privilege escalation: attacker can target system directories (e.g., /etc/passwd, /etc/shadow), enabling root account creation or password changes.
  • Data breach: full read/write access to sensitive files including configuration files with secrets.
  • Service disruption: changing ownership of system directories can break system services.

The attack requires only a single API call and creation of a symlink within the attacker’s document root, with impact delayed until the next cron run, making detection and attribution difficult.

Detection Guidance

Detection of this vulnerability involves checking for the presence of symlinks within customer document roots that point to directories outside their allowed scope, as the vulnerability exploits symlink traversal.

One approach is to scan the Froxlor export destination directories for symlinks using commands like:

  • find /path/to/customer/documentroots -type l -ls

Additionally, monitoring the ExportCron job logs for any errors indicating skipped chown operations due to symlink detection can help identify exploitation attempts.

Since the vulnerability involves the ExportCron running a recursive chown on symlinked directories, you can also check for unexpected ownership changes on critical system directories by running:

  • ls -l /etc /var /home

Reviewing the cron job configuration and its execution logs for the ExportCron job may also provide indicators of compromise.

Mitigation Strategies

Immediate mitigation steps include updating Froxlor to version 2.3.6 or later, which contains the patch that enforces proper symlink validation in the DataDump.add() function and modifies the ExportCron job to avoid following symlinks during ownership changes.

If updating immediately is not possible, you can manually apply the following mitigations:

  • Modify the DataDump.add() method to pass the $fixed_homedir parameter to FileDir::makeCorrectDir(), enforcing symlink validation.
  • Update the ExportCron job to check if the export destination directory is a symlink before executing the recursive chown command, skipping the chown if a symlink is detected.

Additionally, monitor and restrict API access to trusted users only, as the vulnerability requires API access with low privileges.

Compliance Impact

This vulnerability allows attackers to escalate privileges both horizontally and vertically by taking ownership of arbitrary directories, including other customers' data and critical system files. This can lead to unauthorized access to sensitive personal data, configuration files, and system credentials.

Such unauthorized access and potential data breaches can violate data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information to ensure confidentiality, integrity, and availability.

Additionally, the ability to disrupt services by changing ownership of system directories may impact system availability, further conflicting with compliance requirements.

Executive Summary

CVE-2026-41231 is a high-severity vulnerability in the Froxlor hosting panel caused by incomplete symlink validation in the DataDump.add() API command.

Specifically, DataDump.add() constructs export destination paths from user input without properly validating symbolic links, bypassing the symlink checks that other API commands enforce.

When the ExportCron runs as root, it executes a recursive chown command on the resolved export directory. Because chown follows symlinks, an attacker can create a symlink inside their document root pointing to any arbitrary directory, including other customers' directories or critical system directories like /etc.

This allows the attacker to take ownership of arbitrary directories on the system by having the cron job change ownership of the symlink target directory to the attacker's user ID and group ID.

Impact Analysis

This vulnerability can have several serious impacts:

  • Horizontal privilege escalation: attackers can take ownership of other customers’ web files, database exports, and email data on the same server.
  • Vertical privilege escalation: by targeting system directories such as /etc, attackers can gain read/write access to sensitive files like /etc/passwd and /etc/shadow, potentially enabling root account creation or password changes.
  • Data breach: attackers gain full read access to all files in the targeted directory tree, including sensitive configuration and secret files.
  • Service disruption: changing ownership of system directories can break system services.

The attack requires only a single API call and the presence of the system.exportenabled setting enabled by an administrator, with the impact delayed until the next cron run, complicating detection and attribution.

Detection Guidance

Detection of this vulnerability involves identifying if the ExportCron job is running as root and if it executes a recursive chown command on export directories that may be symlinks. Since the vulnerability arises from following symlinks during ownership changes, you can check for symlinks within customer document roots that point outside their directories.

Suggested commands to detect potential exploitation or presence of risky symlinks include:

  • Find symlinks inside customer document roots that point outside their home directories: find /var/customers/webs/ -type l -exec ls -l {} \;
  • Check if the ExportCron job is running as root and review its logs for chown commands on unexpected directories.
  • Monitor for unexpected ownership changes on critical directories such as /etc or other system paths.
Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade Froxlor to version 2.3.6 or later, where the vulnerability is patched.
  • Ensure that the DataDump.add() function passes the $fixed_homedir parameter to FileDir::makeCorrectDir() to enforce symlink validation.
  • Modify the ExportCron job to check if the export destination path is a symlink before executing chown -R. If it is a symlink, skip the chown operation or use chown with the no-dereference option (chown -h).
  • Disable the system.exportenabled setting if immediate patching is not possible to prevent the export functionality from running.
Executive Summary

CVE-2026-41231 is a high-severity vulnerability in the Froxlor server administration software affecting versions prior to 2.3.6. The issue arises because the DataDump.add() function constructs export destination paths from user input without enforcing symlink validation that is applied elsewhere. This allows an attacker to create a symbolic link (symlink) inside their document root pointing to arbitrary directories on the system.

When the ExportCron runs as root, it executes a recursive ownership change (chown -R) on the resolved symlink target. Because chown follows symlinks, the attacker can cause the system to change ownership of arbitrary directories to their user and group IDs.

This vulnerability is due to missing the $fixed_homedir parameter in DataDump.add() when calling FileDir::makeCorrectDir(), bypassing symlink validation. The attack requires only a single API call and creation of a symlink within the attacker's document root.

Impact Analysis

This vulnerability can have severe impacts including:

  • Horizontal privilege escalation: attackers can take ownership of other customers' web files, database exports, and email data.
  • Vertical privilege escalation: by targeting critical system directories like /etc, attackers can modify sensitive files such as /etc/passwd and /etc/shadow, potentially creating or altering root accounts.
  • Data breach: attackers gain full read/write access to all files in the targeted directory tree, including sensitive configuration and secret files.
  • Service disruption: changing ownership of system directories can break system services and cause operational failures.

The attack is stealthy because the ownership change happens during a root-executed cron job, delaying the impact and complicating detection.

Detection Guidance

Detection of this vulnerability involves checking for the presence of symlinks within customer document roots that point to directories outside their allowed scope, as well as monitoring for unexpected ownership changes caused by the ExportCron job running as root.

One approach is to scan the document root directories for symlinks using commands like:

  • find /path/to/customer/documentroot -type l -ls

Additionally, you can check recent ownership changes on critical directories that might indicate exploitation by running:

  • find /etc /var/www -user attacker_user -or -group attacker_group -ls

Monitoring cron job logs and export operation logs for unusual chown commands or errors related to symlink ownership changes can also help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include updating Froxlor to version 2.3.6 or later, which contains the patch that enforces proper symlink validation in the DataDump.add() function and modifies the ExportCron job to skip ownership changes on symlinked directories.

If updating immediately is not possible, consider the following temporary measures:

  • Audit and remove any suspicious symlinks within customer document roots that point outside their allowed directories.
  • Modify the ExportCron job or its configuration to prevent it from following symlinks during ownership changes, for example by patching the code to check for symlinks before running chown or by running chown with the -h (no-dereference) option.
  • Restrict permissions to prevent low-privileged users from creating symlinks that could be exploited.
Executive Summary

CVE-2026-41231 is a high-severity vulnerability in the Froxlor hosting panel affecting versions up to 2.1.0, patched in version 2.3.6. The issue arises because the DataDump.add() API command constructs export destination paths from user input without enforcing symlink validation that other parts of the system apply. This omission allows an attacker to create a symlink inside their document root pointing to arbitrary directories on the system.

When the ExportCron runs as root, it executes a recursive ownership change (chown -R) on the resolved symlink target. Because chown follows symlinks, the attacker can cause the system to change ownership of directories outside their control, including other customers' files or critical system directories.

This vulnerability is due to missing the $fixed_homedir parameter in DataDump.add() when calling FileDir::makeCorrectDir(), bypassing symlink validation and enabling directory ownership takeover.

Impact Analysis

This vulnerability can have several serious impacts:

  • Horizontal privilege escalation: An attacker can gain ownership of other customers' web files, database exports, and email data.
  • Vertical privilege escalation: By targeting system directories like /etc, an attacker can modify sensitive files such as /etc/passwd and /etc/shadow, potentially creating or altering root accounts.
  • Data breach: Full read/write access to all files in the targeted directory tree, including sensitive configuration and secret files.
  • Service disruption: Changing ownership of system directories can break system services, causing downtime or instability.

The attack requires only a single API call and creation of a symlink within the attacker's document root, with the impact occurring when the root-run ExportCron executes.

Detection Guidance

Detection of this vulnerability involves checking for the presence of symlinks within customer document roots that point to directories outside their allowed scope, as well as monitoring for unexpected ownership changes caused by the ExportCron job running as root.

You can look for symlinks inside user document roots that point to sensitive or unauthorized directories by running commands like:

  • find /path/to/customer/documentroots -type l -exec ls -l {} \;

To detect if ownership changes have occurred unexpectedly, you can check recent changes in ownership on critical directories, for example:

  • find /etc -user attacker_user -o -group attacker_group

Additionally, reviewing cron logs or the ExportCron execution logs for unusual chown commands or errors related to symlink handling can help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include updating Froxlor to version 2.3.6 or later, where the vulnerability is patched.

If updating immediately is not possible, you should:

  • Modify the DataDump.add() function to pass the $fixed_homedir parameter to FileDir::makeCorrectDir() to enforce symlink validation.
  • Update the ExportCron job to check if the export destination directory is a symlink before executing the recursive chown command, skipping the operation if a symlink is detected.
  • Alternatively, change the chown command to use the no-dereference option (e.g., chown -h) to avoid following symlinks.

Also, audit and remove any unauthorized symlinks within customer document roots that point outside their allowed directories.

Executive Summary

CVE-2026-41231 is a high-severity vulnerability in the Froxlor hosting panel affecting versions up to 2.1.0, patched in version 2.3.6. The issue arises because the DataDump.add() API command constructs export destination paths from user input without enforcing symlink validation that is applied elsewhere in the system.

Specifically, after a previous fix introduced symlink validation via a parameter in the FileDir::makeCorrectDir() function, DataDump.add() omitted this parameter, allowing user-supplied paths containing symlinks to arbitrary directories.

When the ExportCron runs as root, it executes a recursive ownership change (chown -R) on the resolved export directory. Because chown follows symlinks, an attacker can create a symlink inside their document root pointing to any directory on the system. The cron job then recursively changes ownership of the target directory and its contents to the attacker's user and group IDs.

Impact Analysis

This vulnerability can have several serious impacts:

  • Horizontal privilege escalation: An attacker can gain ownership of other customers' web files, database exports, and email data.
  • Vertical privilege escalation: By targeting system directories such as /etc, an attacker can modify sensitive files like /etc/passwd and /etc/shadow, potentially creating or altering root accounts and passwords.
  • Data breach: Full read/write access to all files in the targeted directory tree, including sensitive configuration and secret files.
  • Service disruption: Changing ownership of system directories can break system services.

The attack requires only a single API call and creation of a symlink within the attacker's document root, with the impact delayed until the next cron job runs, making detection and attribution more difficult.

Detection Guidance

This vulnerability can be detected by checking for the presence of symlinks within customer document roots that point to directories outside their allowed scope, especially if these symlinks are used as export destinations in the Froxlor DataDump.add() API.

You can detect suspicious symlinks by running commands to find symlinks inside the document root directories and verifying their targets.

  • Find symlinks inside a customer's document root (replace /path/to/documentroot): find /path/to/documentroot -type l -ls
  • Check where a symlink points to: readlink -f /path/to/symlink
  • Monitor cron job logs or audit logs for unexpected recursive chown commands run by ExportCron or root on directories that are symlink targets.

Since the attack involves the ExportCron running as root executing `chown -R` on symlink-resolved directories, monitoring for unusual ownership changes on critical system directories (e.g., /etc) or other customers' directories can also indicate exploitation.

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade Froxlor to version 2.3.6 or later, which contains the patch that enforces symlink validation in DataDump.add() and modifies ExportCron to skip ownership changes on symlinked directories.
  • If upgrading immediately is not possible, manually audit and remove any symlinks inside customer document roots that point outside their allowed directories to prevent exploitation.
  • Modify the ExportCron script to check if the export destination path is a symlink before executing `chown -R`, skipping the operation if a symlink is detected.
  • Consider temporarily disabling or restricting the ExportCron job until the patch is applied.

These steps prevent attackers from exploiting the incomplete symlink validation to escalate privileges or take ownership of arbitrary directories.

Executive Summary

CVE-2026-41231 is a high-severity vulnerability in the Froxlor server administration software affecting versions prior to 2.3.6. The issue arises because the DataDump.add() function constructs export destination paths from user input without enforcing symlink validation that other parts of the system apply. This omission allows an attacker to create a symbolic link (symlink) inside their document root pointing to arbitrary directories on the system.

When the ExportCron job runs as root, it executes a recursive ownership change (chown -R) on the resolved symlink target. Because chown follows symlinks, the attacker can cause the system to change ownership of directories outside their control to their user and group IDs.

This vulnerability results from missing the $fixed_homedir parameter in DataDump.add() when calling FileDir::makeCorrectDir(), bypassing symlink validation and enabling directory ownership takeover.

Impact Analysis

This vulnerability can have severe impacts including:

  • Horizontal privilege escalation: attackers can gain ownership of other customers' web files, database exports, and email data.
  • Vertical privilege escalation: by targeting critical system directories like /etc, attackers can modify sensitive files such as /etc/passwd and /etc/shadow, potentially creating or altering root accounts.
  • Data breach: attackers gain full read/write access to all files in the targeted directory tree, including sensitive configuration and secret files.
  • Service disruption: changing ownership of system directories can break system services, causing downtime or instability.

The attack requires only a single API call and creation of a symlink within the attacker's document root, with the impact occurring when the root-run ExportCron executes.

Detection Guidance

Detection of this vulnerability involves checking for the presence of symlinks within customer document roots that point to directories outside their allowed scope, as well as monitoring for unexpected ownership changes caused by the ExportCron job running as root.

One approach is to search for symlinks inside customer document roots that resolve to sensitive or unexpected system directories. For example, you can use the following command to find symlinks within a customer's document root:

  • find /path/to/customer/documentroot -type l -ls

Additionally, you can monitor recent ownership changes on critical directories that might indicate exploitation, for example:

  • find /etc /var/www -user attacker_user -or -group attacker_group -ls

Review cron job logs or the ExportCron execution logs to detect if the chown command was run on unexpected paths or symlinks.

Mitigation Strategies

Immediate mitigation steps include updating Froxlor to version 2.3.6 or later, which contains the patch that enforces proper symlink validation in the DataDump.add() API command.

Additionally, the ExportCron job has been updated to check if the export destination path is a symlink before executing the recursive chown command. If a symlink is detected, the chown operation is skipped to prevent privilege escalation.

  • Upgrade Froxlor to version 2.3.6 or newer.
  • Ensure the ExportCron code includes the symlink check using PHP's is_link() function before running chown.
  • Audit existing symlinks in customer document roots and remove or correct any that point outside allowed directories.
  • Restrict permissions to prevent unauthorized creation of symlinks by low-privileged users.
Impact Analysis

This vulnerability can have several serious impacts:

  • Horizontal privilege escalation: An attacker can gain ownership of other customers’ web files, database exports, and email data.
  • Vertical privilege escalation: An attacker can target system directories such as /etc/passwd or /etc/shadow, potentially enabling root account creation or password changes.
  • Data breach: Full read/write access to sensitive files including configuration files containing secrets.
  • Service disruption: Changing ownership of system directories can break system services.

The attack requires only a single API call and creation of a symlink within the attacker’s document root, with the impact occurring when the ExportCron job runs as root.

Detection Guidance

Detection of this vulnerability involves checking for the presence of symlinks within customer document roots that could be exploited by the ExportCron job running as root. Specifically, you can look for symlinks that point outside the expected directories.

A useful command to detect suspicious symlinks is to find symbolic links inside the Froxlor customer document root directories that point outside those directories. For example:

  • find /path/to/froxlor/customers -type l -exec bash -c 'target=$(readlink -f "{}") && if [[ "$target" != /path/to/froxlor/customers/* ]]; then echo "Suspicious symlink: {} -> $target"; fi' \;

Additionally, monitoring the ExportCron job logs for errors related to symlink detection or unexpected ownership changes can help identify exploitation attempts.

Since the vulnerability involves the ExportCron job running a recursive chown on symlink-resolved paths, auditing recent ownership changes on critical directories (e.g., /etc, other customers' directories) may reveal unauthorized changes.

Mitigation Strategies

Immediate mitigation steps include updating Froxlor to version 2.3.6 or later, which contains the fix for this vulnerability.

If updating immediately is not possible, you can manually apply mitigations by:

  • Modifying the ExportCron job to check if the export destination directory is a symlink before running the recursive chown command, and skipping the chown if it is a symlink.
  • Using the `chown -h` option (if supported) to avoid following symlinks during ownership changes.

These mitigations prevent the ExportCron job from changing ownership of arbitrary directories via symlink exploitation.

Additionally, review and restrict API access to trusted users only, and monitor for suspicious symlink creation within customer document roots.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41231. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart