PatchSiren cyber security CVE debrief
CVE-2026-41236 froxlor CVE debrief
CVE-2026-41236 is a HIGH-severity vulnerability in Froxlor server administration software. Version 2.3.6 of Froxlor contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled home directory without verifying that the target path is not a symbolic link. An attacker controlling a shell-enabled customer account can modify files inside the assigned home directory, replacing `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys`. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker-supplied key into root's authorized key file, resulting in root SSH access. The vulnerability was patched in version 2.3.7.
- Vendor
- froxlor
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-08
Who should care
Administrators using Froxlor server administration software version 2.3.6 should upgrade to version 2.3.7 to mitigate this vulnerability.
Technical summary
The vulnerability has a CVSS score of 8.8 and is classified as CWE-59. The attack vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Froxlor to version 2.3.7 or later.
- Review and restrict access to customer-controlled home directories.
- Monitor SSH key synchronization and cron task logs for suspicious activity.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information is available at [ref-4] and [ref-5].
Official resources
CVE-2026-41236 was published on 2026-06-04T19:16:29.327Z and modified on 2026-06-08T16:16:38.887Z.