Froxlor Vulnerability Grants Root Ownership of Arbitrary Directories
A critical vulnerability, CVE-2026-41231, impacts Froxlor, an open-source server administration software. The National Vulnerability Database reports that prior to version 2.3.6, the DataDump.add() function constructs an export destination path using user-supplied input without proper validation. Crucially, it bypasses the symlink validation intended to prevent such issues, which was implemented in other customer-facing path operations.
This flaw allows a low-privileged user to craft a path that, when processed by the ExportCron — which often runs as root — leads to chown -R being executed on an arbitrary symlink target. The attacker can then seize ownership of any directory on the system, granting them significant control. The National Vulnerability Database rates this with a CVSS score of 7.5 (HIGH).
Froxlor users running versions prior to 2.3.6 are at severe risk. This isn’t just a bypass; it’s a direct path to privilege escalation and system compromise. Defenders need to recognize that this isn’t a theoretical concern; it’s a practical attack vector that can be exploited by any authenticated user on the system.
What This Means For You
- If your organization uses Froxlor for server administration, immediately verify your version. Prioritize upgrading to Froxlor version 2.3.6 or later to mitigate CVE-2026-41231. Conduct an audit of your Froxlor installations to ensure the ExportCron service does not run with excessive privileges if an immediate patch is not feasible.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Froxlor DataDump.add() Arbitrary Directory Chown - CVE-2026-41231
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41231 | Privilege Escalation | Froxlor server administration software |
| CVE-2026-41231 | Privilege Escalation | Froxlor versions prior to 2.3.6 |
| CVE-2026-41231 | Privilege Escalation | Vulnerable function: DataDump.add() path construction |
| CVE-2026-41231 | Privilege Escalation | Missing parameter: $fixed_homedir in FileDir::makeCorrectDir() |
| CVE-2026-41231 | Privilege Escalation | Attack vector: ExportCron running as root executing chown -R on symlink target |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 23, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-41990 — Libgcrypt before 1.12.2 mishandles Dilithium signing.
CVE-2026-41990 — Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.
CVE-2026-41989 — Buffer Overflow
CVE-2026-41989 — Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.
CVE-2026-41233 — Froxlor is open source server administration software.
CVE-2026-41233 — Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used...