Access Control Bypass in ProFTPD by ProFTPD Project
CVE-2026-35025
What is CVE-2026-35025?
ProFTPD versions up to 1.3.9b and 1.3.10rc2 are affected by an access control bypass vulnerability that allows authenticated FTP users to bypass Directory ACL restrictions. This occurs through the use of the '/proc/self/root' path prefix in the RNFR command handler, enabling attackers to manipulate path components and perform unauthorized file access. Specifically, the vulnerability exploits unresolved symlinks in the dir_canonical_path() function, causing the dir_check() function to perform lexical path comparisons that do not align with existing Directory configurations. As a result, rename operations can be executed on files in directories that are otherwise protected by DenyAll configurations. It is important to note that connections configured with DefaultRoot (chroot) are not susceptible to this issue, as chroot restricts the directory resolution of the vulnerable paths.
Affected Version(s)
ProFTPD 0 <= 1.3.9b
ProFTPD 0 <= 1.3.9b
ProFTPD 0 <= 1.3.10rc2
