CVE-2026-35025
Received Received - Intake
ProFTPD Access Control Bypass via Path Traversal

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: VulnCheck

Description
ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-35025
EUVD
EUVD-2026-38789
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
proftpd proftpd to 1.3.10rc2 (inc)
proftpd proftpd to 1.3.10rc2 (exc)
proftpd proftpd to 1.3.9b (exc)
proftpd proftpd to 1.3.9b (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring FTP server logs for the use of the RNFR command with paths prefixed by /proc/self/root, which is unusual and indicative of an attempt to bypass Directory ACL restrictions.

You can use commands to search FTP logs for such RNFR commands. For example, on a Linux system, you might run:

  • grep 'RNFR /proc/self/root' /var/log/proftpd/proftpd.log

Additionally, network traffic capture tools like tcpdump or Wireshark can be used to filter FTP commands and look for RNFR commands with the /proc/self/root prefix.

  • tcpdump -A -s 0 'tcp port 21 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'RNFR /proc/self/root'
Executive Summary

CVE-2026-35025 is an access control bypass vulnerability in ProFTPD versions up to 1.3.9b and 1.3.10rc2. Authenticated FTP users can exploit this flaw by prefixing paths with /proc/self/root in the RNFR command handler. This manipulation exploits unresolved symlink components in the dir_canonical_path() function, causing the dir_check() function to fail to correctly match configured Directory ACL blocks. As a result, attackers can bypass Directory ACL restrictions, allowing unauthorized rename operations on files within directories protected by DenyAll rules and enabling subsequent retrieval of those files.

Impact Analysis

This vulnerability can allow authenticated FTP users to bypass directory access controls, enabling them to rename and retrieve files in directories that should be protected. This unauthorized access can lead to exposure of sensitive files, potential data leakage, and compromise of file integrity within the affected ProFTPD server.

Mitigation Strategies

The primary mitigation is to configure ProFTPD sessions with DefaultRoot (chroot), which changes the directory to which /proc/self/root resolves, preventing the exploit.

Additionally, updating ProFTPD to a version later than 1.3.9b and 1.3.10rc2 where this vulnerability is fixed is recommended.

Until an update can be applied, monitoring and restricting authenticated FTP users' ability to use the RNFR command with suspicious path prefixes can help reduce risk.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35025. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart