CVE-2026-41231
Description
Froxlor is open source server administration software. Prior to version 2.3.6, DataDump.add() constructs the export destination path from user-supplied input without passing the $fixed_homedir parameter to FileDir::makeCorrectDir(), bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes chown -R on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
froxlor/froxlorPackagist | < 2.3.6 | 2.3.6 |
Affected products
1Patches
12987b0e8806eadd symlink-validation to data-export
2 files changed · +6 −2
lib/Froxlor/Api/Commands/DataDump.php+1 −1 modified@@ -85,7 +85,7 @@ public function add() // validation $path = FileDir::makeCorrectDir(Validate::validate($path, 'path', '', '', [], true)); $userpath = $path; - $path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path); + $path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']); // path cannot be the customers docroot if ($path == FileDir::makeCorrectDir($customer['documentroot'])) {
lib/Froxlor/Cron/System/ExportCron.php+5 −1 modified@@ -229,7 +229,11 @@ private static function createCustomerExport($data = null, $customerdocroot = nu FileDir::safe_exec('rm -rf ' . escapeshellarg($tmpdir)); // set owner to customer $cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_DEBUG, 'shell> chown -R ' . (int)$data['uid'] . ':' . (int)$data['gid'] . ' ' . escapeshellarg($data['destdir'])); - FileDir::safe_exec('chown -R ' . (int)$data['uid'] . ':' . (int)$data['gid'] . ' ' . escapeshellarg($data['destdir'])); + if (is_link(rtrim($data['destdir'], '/'))) { + $cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_ERR, 'Export destination is a symlink, skipping chown for security: ' . $data['destdir']); + } else { + FileDir::safe_exec('chown -R ' . (int)$data['uid'] . ':' . (int)$data['gid'] . ' ' . escapeshellarg($data['destdir'])); + } } } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87dnvdPatchWEB
- github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89rnvdExploitVendor AdvisoryMitigationWEB
- github.com/advisories/GHSA-75h4-c557-j89rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41231ghsaADVISORY
- github.com/froxlor/froxlor/releases/tag/2.3.6nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.