CVE-2026-41236
Symlink Following in Froxlor Leading to Root SSH Access
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| froxlor | froxlor | to 2.3.7 (exc) |
| froxlor | froxlor | From 2.3.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41236 is a high-severity privilege escalation vulnerability in Froxlor version 2.3.6. It arises from a flaw in the SSH key synchronization process where Froxlor appends public keys to the authorized_keys file in a customer-controlled home directory without verifying if the file is a symbolic link.
An attacker with a shell-enabled customer account can exploit this by replacing the authorized_keys file with a symbolic link pointing to the root user's authorized_keys file. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker's key to root's authorized keys, granting the attacker root SSH access.
How can this vulnerability impact me? :
This vulnerability allows an attacker with a shell-enabled customer account to gain root-level SSH access to the system. This means the attacker can fully compromise the system, including stealing data, maintaining persistent access, and tampering with services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the ~/.ssh/authorized_keys file in customer home directories is a symbolic link pointing to /root/.ssh/authorized_keys or any other sensitive location. Since the flaw involves symlink-following in the SSH key synchronization path, verifying the presence of such symlinks is critical.
- Use the command `find /home -type l -name authorized_keys -exec ls -l {} \;` to locate symbolic links named authorized_keys in customer home directories.
- Check the target of any found symlink with `readlink -f /path/to/authorized_keys` to see if it points to /root/.ssh/authorized_keys.
- Review the contents of /root/.ssh/authorized_keys for unexpected or unauthorized SSH keys appended by the Froxlor cron job.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Froxlor to version 2.3.7 or later, where the symlink-following flaw in the SSH key synchronization path has been patched.
Until the upgrade can be applied, restrict or disable shell access for customer accounts to prevent attackers from exploiting the vulnerability.
Manually inspect and remove any unauthorized symbolic links named authorized_keys in customer home directories, and verify the integrity of the root user's authorized_keys file.
Consider temporarily disabling the Froxlor privileged cron task that synchronizes SSH keys to prevent further unauthorized key appending.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker with a shell-enabled customer account to gain root SSH access, leading to full system compromise including data theft, persistence, and service tampering.
Such a compromise can result in unauthorized access to sensitive data, which may violate data protection regulations like GDPR and HIPAA that require strict controls on data confidentiality and integrity.
Therefore, exploitation of this vulnerability could lead to non-compliance with these standards due to potential data breaches and failure to maintain secure access controls.