Access Control Bypass in ProFTPD by ProFTPD Project
CVE-2026-35025

8.6HIGH

Key Information:

Status
Vendor
CVE Published:
24 June 2026

What is CVE-2026-35025?

ProFTPD versions up to 1.3.9b and 1.3.10rc2 are affected by an access control bypass vulnerability that allows authenticated FTP users to bypass Directory ACL restrictions. This occurs through the use of the '/proc/self/root' path prefix in the RNFR command handler, enabling attackers to manipulate path components and perform unauthorized file access. Specifically, the vulnerability exploits unresolved symlinks in the dir_canonical_path() function, causing the dir_check() function to perform lexical path comparisons that do not align with existing Directory configurations. As a result, rename operations can be executed on files in directories that are otherwise protected by DenyAll configurations. It is important to note that connections configured with DefaultRoot (chroot) are not susceptible to this issue, as chroot restricts the directory resolution of the vulnerable paths.

Affected Version(s)

ProFTPD 0 <= 1.3.9b

ProFTPD 0 <= 1.3.9b

ProFTPD 0 <= 1.3.10rc2

References

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

djnn
VulnCheck
.