CVE-2026-28295 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been discovered in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the malicious server to probe for open ports accessible from the client's network.
Critical Impact
This vulnerability enables attackers controlling a malicious FTP server to conduct port scanning and network reconnaissance on internal systems accessible from the victim's network, potentially exposing sensitive internal infrastructure.
Affected Products
- GVfs FTP backend (affected versions not specified)
- Linux distributions using GVfs for file system access
- GNOME desktop environments utilizing GVfs
Discovery Timeline
- 2026-02-26 - CVE-2026-28295 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-28295
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The flaw exists in how the GVfs FTP backend handles passive mode (PASV) responses from FTP servers. In the FTP protocol, when a client initiates a passive mode connection, the server responds with an IP address and port number where the client should connect to transfer data.
The GVfs FTP backend implementation fails to properly validate the IP address and port information returned in the PASV response. Instead of restricting data connections to the same host as the control connection, the client unconditionally trusts and connects to whatever endpoint the server specifies. This design flaw creates an SSRF condition that can be weaponized by malicious FTP servers.
Root Cause
The root cause of this vulnerability is improper validation of server-provided data in the FTP passive mode implementation. The GVfs FTP backend lacks security controls to verify that the data connection destination matches the control connection server, allowing arbitrary redirect of data connections to attacker-specified endpoints.
Attack Vector
The attack vector requires user interaction where the victim connects to a malicious FTP server. The attack flow proceeds as follows:
- The victim initiates an FTP connection to an attacker-controlled server
- When passive mode is requested, the malicious server responds with a crafted PASV response containing an arbitrary internal IP address and port
- The GVfs client blindly trusts this information and attempts to establish a data connection to the specified endpoint
- Based on the connection result (success, failure, timing), the attacker can infer network topology and open ports on internal systems
This technique allows attackers to leverage the victim's network position to scan internal infrastructure that would otherwise be inaccessible from the internet. For technical details, see the Red Hat CVE-2026-28295 Advisory and Red Hat Bug Report #2443004.
Detection Methods for CVE-2026-28295
Indicators of Compromise
- Unusual outbound FTP connections to untrusted or suspicious external servers
- FTP data connections targeting internal IP addresses that differ from the FTP control connection server
- Connection attempts to non-standard ports following FTP PASV command exchanges
- Network traffic patterns indicating port scanning originating from GVfs processes
Detection Strategies
- Monitor for FTP connections where the data connection destination differs from the control connection server IP
- Implement network segmentation alerts for FTP clients attempting connections to internal RFC1918 address spaces
- Deploy endpoint detection to identify gvfsd-ftp processes making connections to internal infrastructure
- Create IDS/IPS rules to detect anomalous PASV responses containing internal IP addresses
Monitoring Recommendations
- Log all FTP passive mode connections and analyze destination IP patterns
- Configure network monitoring to alert on GVfs processes connecting to unexpected internal endpoints
- Establish baseline FTP connection behavior to identify deviations indicative of exploitation
- Implement centralized logging for all file transfer activities across the environment
How to Mitigate CVE-2026-28295
Immediate Actions Required
- Avoid connecting to untrusted or unknown FTP servers until patches are available
- Consider disabling FTP functionality in GVfs if not required for business operations
- Implement network-level controls to restrict outbound FTP connections to known trusted servers
- Apply security patches from your Linux distribution vendor when they become available
Patch Information
Consult the Red Hat CVE-2026-28295 Advisory for official patch information and updates. Track Red Hat Bug Report #2443004 for remediation progress. Apply vendor-provided security updates as soon as they become available.
Workarounds
- Use alternative secure file transfer methods such as SFTP or SCP instead of FTP
- Configure firewall rules to block FTP data connections to internal network ranges
- Implement proxy-based FTP access that can validate PASV responses before forwarding
- Consider application-level controls to restrict GVfs FTP backend usage
# Example: Block outbound FTP data connections to internal networks
# Add to iptables firewall rules
iptables -A OUTPUT -p tcp --dport 1024:65535 -d 10.0.0.0/8 -m owner --uid-owner $USER -m comment --comment "Block FTP PASV to internal" -j DROP
iptables -A OUTPUT -p tcp --dport 1024:65535 -d 172.16.0.0/12 -m owner --uid-owner $USER -m comment --comment "Block FTP PASV to internal" -j DROP
iptables -A OUTPUT -p tcp --dport 1024:65535 -d 192.168.0.0/16 -m owner --uid-owner $USER -m comment --comment "Block FTP PASV to internal" -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
