CVE-2026-41231 Overview
CVE-2026-41231 is a symlink attack vulnerability in Froxlor, an open source server administration software. Prior to version 2.3.6, the DataDump.add() function constructs the export destination path from user-supplied input without passing the $fixed_homedir parameter to FileDir::makeCorrectDir(). This oversight bypasses the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes chown -R on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system.
Critical Impact
A low-privileged customer can exploit this vulnerability to gain ownership of arbitrary system directories, potentially leading to full system compromise when the export cron job runs with root privileges.
Affected Products
- Froxlor versions prior to 2.3.6
Discovery Timeline
- 2026-04-23 - CVE CVE-2026-41231 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-41231
Vulnerability Analysis
This vulnerability stems from an incomplete security fix for a previously identified symlink attack (CVE-2023-6069). While symlink validation was added to most customer-facing path operations in Froxlor, the DataDump.add() function was overlooked. The function accepts user-controlled path input and processes it without the critical $fixed_homedir parameter that would normally constrain paths within the customer's document root.
The critical issue occurs during the export cron job execution. When ExportCron.php runs with root privileges, it performs a recursive chown operation on the export destination directory. If an attacker creates a symbolic link pointing to a sensitive system directory (such as /etc, /root, or /var/www), the chown -R command will follow the symlink and change ownership of the target directory and all its contents to the attacking customer's user ID.
Root Cause
The root cause is classified as CWE-59 (Improper Link Resolution Before File Access). The vulnerability exists because the DataDump.add() function in lib/Froxlor/Api/Commands/DataDump.php constructs the export destination path by concatenating the customer's document root with user-supplied input, but fails to pass the $fixed_homedir parameter to FileDir::makeCorrectDir(). Without this parameter, the function does not validate whether the resulting path is actually contained within the customer's allowed directory or if it resolves through a symlink to an external location.
Attack Vector
The attack can be executed remotely over the network by an authenticated customer with low privileges. The attacker would:
- Create a symbolic link within their document root pointing to a target system directory
- Use the data export functionality to specify the symlink path as the export destination
- Wait for the ExportCron job to execute with root privileges
- The chown -R operation follows the symlink and transfers ownership of the target directory to the attacker
The following patch from the GitHub commit shows how the vulnerability was fixed in DataDump.php:
// validation
$path = FileDir::makeCorrectDir(Validate::validate($path, 'path', '', '', [], true));
$userpath = $path;
- $path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path);
+ $path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);
// path cannot be the customers docroot
if ($path == FileDir::makeCorrectDir($customer['documentroot'])) {
Additionally, a defense-in-depth check was added to ExportCron.php:
FileDir::safe_exec('rm -rf ' . escapeshellarg($tmpdir));
// set owner to customer
$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_DEBUG, 'shell> chown -R ' . (int)$data['uid'] . ':' . (int)$data['gid'] . ' ' . escapeshellarg($data['destdir']));
- FileDir::safe_exec('chown -R ' . (int)$data['uid'] . ':' . (int)$data['gid'] . ' ' . escapeshellarg($data['destdir']));
+ if (is_link(rtrim($data['destdir'], '/'))) {
+ $cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_ERR, 'Export destination is a symlink, skipping chown for security: ' . $data['destdir']);
+ } else {
+ FileDir::safe_exec('chown -R ' . (int)$data['uid'] . ':' . (int)$data['gid'] . ' ' . escapeshellarg($data['destdir']));
+ }
}
}
}
Detection Methods for CVE-2026-41231
Indicators of Compromise
- Unexpected ownership changes on system directories (e.g., /etc, /root, /var)
- Symlinks in customer document roots pointing to directories outside the customer's allowed path
- Error messages in Froxlor cron logs indicating symlink detection: "Export destination is a symlink, skipping chown for security"
- Suspicious data export requests targeting paths that resolve outside customer directories
Detection Strategies
- Monitor file ownership changes on critical system directories using file integrity monitoring (FIM) tools
- Audit Froxlor data export API calls for paths containing .. or suspicious directory references
- Implement alerting on chown operations executed by the Froxlor cron process that target paths outside customer document roots
- Review Froxlor application logs for export operations with unusual destination paths
Monitoring Recommendations
- Enable comprehensive logging for the ExportCron job to capture all destination paths
- Deploy SentinelOne agents configured to detect privilege escalation patterns and unauthorized ownership changes
- Configure real-time alerts for any chown -R operations on sensitive system directories executed by web application processes
- Implement periodic scans of customer document roots to identify symlinks pointing outside allowed directories
How to Mitigate CVE-2026-41231
Immediate Actions Required
- Upgrade Froxlor to version 2.3.6 or later immediately
- Audit all customer document roots for suspicious symlinks pointing to system directories
- Review ownership of critical system directories for unauthorized changes
- Temporarily disable the data export functionality if immediate patching is not possible
Patch Information
Froxlor version 2.3.6 contains the complete fix for this vulnerability. The patch adds the $fixed_homedir parameter to the FileDir::makeCorrectDir() call in DataDump.php and implements an additional symlink check in ExportCron.php as a defense-in-depth measure. The patch is available in the GitHub release and the specific changes can be reviewed in the commit.
Workarounds
- Disable the data export feature by restricting access to the DataDump API endpoint until patching is complete
- Implement filesystem restrictions using mount options like nosymfollow on customer document root partitions
- Run the ExportCron job with reduced privileges instead of root where possible
- Add custom validation scripts to detect and remove symlinks in customer directories before cron execution
# Find and audit symlinks in customer document roots
find /var/customers/webs/ -type l -exec ls -la {} \; | grep -v "^\./\|^../"
# Check for ownership changes on critical directories
stat /etc /root /var/www --format="%n: owner=%U group=%G"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
