CVE-2026-41231
Published: 23 April 2026
Summary
CVE-2026-41231 is a high-severity Link Following (CWE-59) vulnerability in Froxlor Froxlor. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforcing least privilege prevents the ExportCron from running as root, blocking low-privilege customers from using symlinks to chown arbitrary system directories.
Timely flaw remediation by patching to Froxlor version 2.3.6 directly fixes the symlink bypass in DataDump.add() that skips fixed_homedir validation.
Validating user-supplied export path inputs prevents construction of malicious symlinks that bypass FileDir::makeCorrectDir() symlink checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Symlink following vuln in authenticated path input allows low-priv user to cause root cron job to chown arbitrary directories, directly enabling privilege escalation via vuln exploitation and Linux file/directory permission modification.
NVD Description
Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations…
more
(likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix.
Deeper analysisAI
CVE-2026-41231 is a symlink following vulnerability (CWE-59) affecting Froxlor, an open-source server administration software, in versions prior to 2.3.6. The issue resides in the `DataDump.add()` function, which constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`. This bypasses symlink validation previously added to other customer-facing path operations, likely as a fix for CVE-2023-6069. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated customer with low privileges (PR:L) can exploit this by providing a malicious symlink in the export path. When the ExportCron job runs as root, it executes `chown -R` on the resolved symlink target, enabling the attacker to take ownership of arbitrary directories on the system. Exploitation requires high attack complexity (AC:H) but can be performed over the network without user interaction, potentially leading to high confidentiality, integrity, and availability impacts.
Froxlor version 2.3.6 addresses the issue with an updated fix, as detailed in the project's GitHub release notes, commit history, and security advisory (GHSA-75h4-c557-j89r). Security practitioners should upgrade to 2.3.6 or later and review configurations to ensure the ExportCron does not run with excessive privileges where possible.
Details
- CWE(s)