Executive Summary

CVE-2026-41235 is an authorization bypass vulnerability in Froxlor version 2.3.6 that allows authenticated customers with shell delegation privileges to assign arbitrary shells to FTP users, bypassing the administrator-defined whitelist of approved shells.

Although the Froxlor panel UI restricts shell choices to a predefined whitelist, the server-side FTP account handlers do not enforce this restriction when processing add or edit requests. This means an attacker can submit a shell value not on the whitelist, such as /bin/bash.

In deployments using the default nssextrausers integration, the malicious shell is written into the system account database, granting the attacker real host shell access.

The vulnerability arises from incorrect authorization enforcement, where the system fails to validate user-provided shell values against the intended authorization boundary.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized host shell access, which can lead to lateral movement within the system, privilege escalation, data theft, and persistence on shared-hosting environments.

An attacker with a valid customer account and shell delegation enabled can exploit this flaw to gain elevated control over the server by assigning themselves an arbitrary shell.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if any FTP user accounts have been assigned shells outside the approved whitelist defined in `system.available_shells`. Since the issue involves an attacker submitting arbitrary shell values such as `/bin/bash` via a POST request to `customer_ftp.php`, monitoring such requests or inspecting the system account database for unauthorized shell assignments can help detect exploitation.

You can look for FTP user accounts with shells not in the approved list by running commands like:

• grep -E '/bin/bash|/bin/sh|/bin/zsh' /etc/passwd
• awk -F: '{print $1, $7}' /etc/passwd | grep -v -f approved_shells.txt

Where `approved_shells.txt` contains the list of shells allowed by the administrator. Additionally, monitoring web server logs for POST requests to `customer_ftp.php` with shell parameters outside the whitelist can help identify attempts to exploit this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Froxlor to version 2.3.7 or later, where this vulnerability is fixed.

Until the upgrade is applied, restrict or disable shell delegation privileges for authenticated customers to prevent them from assigning arbitrary shells to FTP users.

Additionally, review and manually correct any unauthorized shell assignments in the system account database to remove shells not in the approved whitelist.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Froxlor 2.3.6 allows authenticated customers with shell delegation privileges to bypass authorization controls and assign arbitrary shells to FTP users, potentially leading to unauthorized host shell access.

This unauthorized access could facilitate lateral movement, privilege escalation, and data theft on shared-hosting systems.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

However, the provided information does not explicitly detail the direct impact on compliance frameworks.

Useful 0 Not Useful 0