CVE-2026-44331 Overview
CVE-2026-44331 is a SQL injection vulnerability [CWE-89] in ProFTPD versions through 1.3.9a, prior to commit 7666224. The flaw resides in the sqltab_fetch_clients_cb() function within contrib/mod_wrap2_sql.c. When the server is configured with UseReverseDNS on, attacker-supplied hostnames returned from a reverse DNS lookup are passed unescaped into SQL queries. A remote attacker who controls the reverse DNS records for their connecting IP address can inject arbitrary SQL commands. Exploitation is constrained by the character set permitted in valid DNS names, which limits but does not eliminate practical attack payloads.
Critical Impact
Remote unauthenticated attackers can inject SQL commands into the access-control database used by mod_wrap2_sql, potentially bypassing IP-based restrictions, modifying data, or extracting sensitive information.
Affected Products
- ProFTPD versions through 1.3.9a (before commit 7666224)
- Deployments using the mod_wrap2_sql contrib module
- Servers configured with UseReverseDNS on
Discovery Timeline
- 2026-05-05 - CVE-2026-44331 published to the National Vulnerability Database
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-44331
Vulnerability Analysis
The vulnerability exists in mod_wrap2_sql, a ProFTPD sub-module that supplies IP-based access control data through SQL backends. The function sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c constructs SQL lookups using the client's resolved hostname when reverse DNS resolution is enabled. Because the hostname value is concatenated into the query without proper escaping, an attacker who controls the PTR record for their source IP can craft a hostname containing SQL metacharacters. The injected payload is executed against the configured access-control database during connection establishment, before authentication occurs.
Root Cause
The root cause is missing input sanitization on hostname strings that originate from external DNS infrastructure. ProFTPD treats reverse-resolved hostnames as trusted input and passes them directly into SQL statements. The mod_wrap2_sql lookup path lacks parameterized queries or escaping for the name field used in client lookups.
Attack Vector
An attacker configures a malicious PTR record for an IP address they control, embedding SQL syntax inside the hostname. They then initiate a connection to the target ProFTPD server. During the reverse DNS lookup performed by ProFTPD, the crafted hostname is retrieved and inserted into the SQL access-control query. Exploitation does not require authentication, but DNS hostname character restrictions narrow the available payload syntax. The high attack complexity reflects the need to control authoritative DNS for the source IP and the constraints on permissible characters.
/*
* ProFTPD: mod_wrap2_sql -- a mod_wrap2 sub-module for supplying IP-based
* access control data via SQL tables
- * Copyright (c) 2002-2016 TJ Saunders
+ * Copyright (c) 2002-2026 TJ Saunders
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
Source: ProFTPD commit 7666224 — the patch properly escapes the name value used in SQL lookups for allowed and denied clients.
Detection Methods for CVE-2026-44331
Indicators of Compromise
- Connections from IP addresses whose PTR records contain SQL metacharacters such as single quotes, semicolons, comments, or UNION keywords.
- Unexpected SQL errors logged by the database backend serving mod_wrap2_sql lookups during client connection events.
- Modifications to the access-control tables consulted by mod_wrap2_sql that do not correspond to administrator activity.
Detection Strategies
- Inspect ProFTPD logs for resolved hostnames containing non-standard DNS characters and correlate with database query logs.
- Enable SQL query logging on the backend database and alert on syntactically anomalous statements originating from the ProFTPD service account.
- Compare resolved hostnames against the strict DNS label grammar [RFC 1035] and flag entries containing characters outside [A-Za-z0-9.-].
Monitoring Recommendations
- Forward ProFTPD authentication and connection logs to a centralized log platform for anomaly review.
- Monitor for spikes in connection attempts from IP ranges with attacker-controlled reverse DNS zones.
- Track changes to mod_wrap2_sql tables and alert on unexpected INSERT, UPDATE, or DROP operations.
How to Mitigate CVE-2026-44331
Immediate Actions Required
- Upgrade ProFTPD to a build that includes commit 7666224 or later from the official repository.
- If patching is not immediately feasible, set UseReverseDNS off in proftpd.conf to eliminate the attack path.
- Audit mod_wrap2_sql access-control tables for unauthorized rows or modifications.
Patch Information
The upstream fix is published in ProFTPD commit 766622456440fbca33abd7927c523673a11d1ed1, tracked in GitHub Issue #2057. The patch escapes the name value before it is used in SQL queries within contrib/mod_wrap2_sql.c.
Workarounds
- Disable reverse DNS resolution by configuring UseReverseDNS off until the patched version is deployed.
- Switch mod_wrap2 to a non-SQL backend such as file-based access control while patching is planned.
- Restrict the database account used by mod_wrap2_sql to read-only access on a minimal set of tables to limit injection impact.
# /etc/proftpd/proftpd.conf - temporary mitigation
UseReverseDNS off
IdentLookups off
# Verify configuration and restart the service
proftpd -t -c /etc/proftpd/proftpd.conf
systemctl restart proftpd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
