Executive Summary

CVE-2026-41233 is a vulnerability in Froxlor server administration software versions prior to 2.3.6. It occurs in the Domains.add() API method where the adminid parameter, which assigns ownership of newly created domains, is accepted from user input without proper validation if the calling reseller does not have the customers_see_all permission.

This lack of validation allows a reseller to specify any adminid, not necessarily their own, when creating a domain. As a result, the domain is attributed to another admin, and the quota counters are incremented for that admin instead of the reseller. This bypasses the reseller's domain quota and can exhaust the quota of the spoofed admin.

The issue arises because the code only validates the adminid parameter if the reseller has the customers_see_all permission. Without this permission, there is no enforcement that the adminid matches the reseller's own admin ID.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing resellers to bypass their domain creation quotas, enabling them to create unlimited domains beyond their allocated limits.

• Quota Bypass: Resellers can create more domains than allowed.
• Quota Exhaustion Denial of Service: The spoofed admin's domain quota can be exhausted, preventing legitimate domain creation for that admin.
• Data Integrity Violation: Domains may be incorrectly associated with admins who do not own the customers, breaking ownership models.
• Accounting Inaccuracy: Resource usage and billing tied to admin quotas become unreliable.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring API calls to the Domains.add() method for suspicious use of the adminid parameter. Specifically, look for domain creation requests where the adminid does not match the reseller's own admin ID, which indicates quota bypass attempts.

A practical way to detect exploitation attempts is to review API request logs or use a command like the following curl example to test if the system improperly accepts an arbitrary adminid:

• curl -s -u RESELLER_API_KEY:RESELLER_API_SECRET -X POST https://froxlor.example/api.php -d '{"command": "Domains.add", "params": {"domain": "bypass-test-1.com", "customerid": 3, "adminid": 1}}'

If this command succeeds in creating a domain with an adminid different from the reseller's own, it confirms the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation is to upgrade Froxlor to version 2.3.6 or later, where the issue is fixed by enforcing that the adminid parameter is forcibly set to the caller's own admin ID if the caller lacks the customers_see_all permission.

If upgrading immediately is not possible, restrict API access to trusted users only and monitor domain creation requests for suspicious adminid values to prevent quota bypass.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows resellers to bypass domain creation quotas by associating domains with other admins without proper authorization, leading to data integrity violations and inaccurate resource usage accounting.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the data integrity and authorization issues could potentially impact compliance by undermining accurate tracking and control of domain ownership and resource usage.

Specifically, inaccurate ownership attribution and quota exhaustion could lead to unauthorized actions and mismanagement of data, which may conflict with regulatory requirements for data accuracy, accountability, and access control.

Useful 0 Not Useful 0