CVE-2026-41236
Deferred Deferred - Pending Action
Symlink Following in Froxlor Leading to Root SSH Access

Publication date: 2026-06-04

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled home directory without verifying that the target path is not a symbolic link. If an attacker controls a shell-enabled customer account and can modify files inside the assigned home directory, the attacker can replace `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys`. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker-supplied key into root's authorized key file, resulting in root SSH access. Version 2.3.7 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-08
Generated
2026-06-26
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-24
NVD
CVE-2026-41236
EUVD
EUVD-2026-34315
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
froxlor froxlor to 2.3.7 (exc)
froxlor froxlor From 2.3.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41236 is a high-severity privilege escalation vulnerability in Froxlor version 2.3.6. It arises from a flaw in the SSH key synchronization process where Froxlor appends public keys to the authorized_keys file in a customer-controlled home directory without verifying if the file is a symbolic link.

An attacker with a shell-enabled customer account can exploit this by replacing the authorized_keys file with a symbolic link pointing to the root user's authorized_keys file. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker's key to root's authorized keys, granting the attacker root SSH access.

Impact Analysis

This vulnerability allows an attacker with a shell-enabled customer account to gain root-level SSH access to the system. This means the attacker can fully compromise the system, including stealing data, maintaining persistent access, and tampering with services.

Detection Guidance

This vulnerability can be detected by checking if the ~/.ssh/authorized_keys file in customer home directories is a symbolic link pointing to /root/.ssh/authorized_keys or any other sensitive location. Since the flaw involves symlink-following in the SSH key synchronization path, verifying the presence of such symlinks is critical.

  • Use the command `find /home -type l -name authorized_keys -exec ls -l {} \;` to locate symbolic links named authorized_keys in customer home directories.
  • Check the target of any found symlink with `readlink -f /path/to/authorized_keys` to see if it points to /root/.ssh/authorized_keys.
  • Review the contents of /root/.ssh/authorized_keys for unexpected or unauthorized SSH keys appended by the Froxlor cron job.
Mitigation Strategies

The immediate mitigation step is to upgrade Froxlor to version 2.3.7 or later, where the symlink-following flaw in the SSH key synchronization path has been patched.

Until the upgrade can be applied, restrict or disable shell access for customer accounts to prevent attackers from exploiting the vulnerability.

Manually inspect and remove any unauthorized symbolic links named authorized_keys in customer home directories, and verify the integrity of the root user's authorized_keys file.

Consider temporarily disabling the Froxlor privileged cron task that synchronizes SSH keys to prevent further unauthorized key appending.

Compliance Impact

The vulnerability allows an attacker with a shell-enabled customer account to gain root SSH access, leading to full system compromise including data theft, persistence, and service tampering.

Such a compromise can result in unauthorized access to sensitive data, which may violate data protection regulations like GDPR and HIPAA that require strict controls on data confidentiality and integrity.

Therefore, exploitation of this vulnerability could lead to non-compliance with these standards due to potential data breaches and failure to maintain secure access controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41236. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart