CVE-2026-41236 - Froxlor SSH key symlink root access

Froxlor 2.3.6 can follow a customer-controlled symlink while its privileged cron path synchronizes SSH keys. If a shell-enabled customer can place ~/.ssh/authorized_keys as a symlink to a root-owned target, the root-run sync task can append the customer’s submitted SSH key to the wrong file and turn customer panel access into root SSH access.

The same 2.3.7 security release also closes a related DNS-control-plane problem, CVE-2026-41234: TXT record content was not fully sanitized after the earlier Froxlor DNS newline-injection fix, allowing an authenticated DNS-enabled customer to break out of a TXT record into generated BIND zone content. A reviewer-ready PR should therefore treat Froxlor 2.3.7+ as the minimum fixed target and check both the SSH-key sync boundary and the DNS zone generation boundary.

When to use it

  • A repository installs, mirrors, vendors, images, deploys, or documents Froxlor before 2.3.7.
  • Froxlor manages customer home directories, shell access, SSH keys, FTP users, root-run cron sync, DNS editing, BIND zone generation, or customer API keys.
  • Customers, tenants, resellers, or imported config can influence authorized_keys, home-directory content, TXT records, or DNS API calls.
  • You need a bounded PR or triage note that upgrades Froxlor and documents SSH symlink plus DNS TXT containment/audit actions.

Inputs

  • Composer manifests/locks, Dockerfiles, images, server-admin playbooks, deployment manifests, mirrors, generated reports, SBOMs, operator docs, and Froxlor forks.
  • Shell-enabled customer state, SSH-key submission paths, DNS edit/API settings, root cron jobs, generated zone locations, symlink audit ownership, key rotation ownership, and rollout status.
  • Available Composer checks, fork/unit tests, container build, deployment render, SBOM, dependency/security scans, and safe redacted audit scripts.

Affected versions

Issue Package Vulnerable versions Fixed versions
CVE-2026-41236 / GHSA-mq5v-pxpm-8jw2 froxlor/froxlor 2.3.6 2.3.7+
CVE-2026-41234 / GHSA-37m5-m4q3-fc6x froxlor/froxlor <=2.3.6 2.3.7+

Indicator-of-exposure

  • The repository pins, vendors, builds, deploys, mirrors, or documents froxlor/froxlor before 2.3.7.
  • Froxlor manages customer home directories, FTP users, SSH keys, shell access, or root-owned cron tasks such as REBUILD_NSSUSERS.
  • Customers, tenants, resellers, automation accounts, or imported configuration can submit SSH keys or influence customer-owned home directories.
  • DNS editing is enabled through Froxlor’s panel or API, especially where customers can create TXT records and BIND zone files are generated by cron.
  • Froxlor runtime hosts have access to root SSH configuration, hosted customer data, DNS zone files, mail routing, certificates, databases, or control-plane credentials.

Quick checks:

rg -n "froxlor|froxlor/froxlor|REBUILD_NSSUSERS|SshKeys|authorized_keys|shell_allowed|DomainZones|DnsEntry|encloseTXTContent|bind_enable|dnsenabled|customer_ftp|api.php" .
composer show froxlor/froxlor
composer why froxlor/froxlor
rg -n "froxlor|FROXLOR|authorized_keys|bind_enable|dnsenabled|master cron|rebuildnssusers" Dockerfile* docker-compose*.yml .github deploy charts ansible terraform scripts docs .

Windows:

rg -n "froxlor|froxlor/froxlor|REBUILD_NSSUSERS|SshKeys|authorized_keys|shell_allowed|DomainZones|DnsEntry|encloseTXTContent|bind_enable|dnsenabled|customer_ftp|api.php" .
composer show froxlor/froxlor
composer why froxlor/froxlor
rg -n "froxlor|FROXLOR|authorized_keys|bind_enable|dnsenabled|master cron|rebuildnssusers" Dockerfile* docker-compose*.yml .github deploy charts ansible terraform scripts docs .

Do not create root-targeting symlinks, submit crafted TXT records, run BIND include probes, or test against production customer accounts during exposure checks.

Remediation strategy

  • Upgrade every repository-controlled Froxlor deployment reference to 2.3.7+.
  • Refresh composer.lock, container images, deployment manifests, SBOMs, scanner baselines, generated dependency reports, and operator docs that pin or mention the vulnerable version.
  • Until rollout is complete, disable or restrict customer SSH-key submission, shell-enabled FTP users, customer DNS editing, and API keys that can edit DNS TXT records.
  • Audit customer home directories for ~/.ssh/authorized_keys symlinks that resolve outside the intended customer document root. Remove unsafe links before re-enabling SSH-key sync.
  • Review root SSH authorized keys and Froxlor action logs around recent customer SSH-key submissions. Rotate or remove keys through the owning operator process without printing private key material or customer data.
  • Review generated BIND zone files for unexpected directives or newline-split TXT records using redacted, bounded checks.
  • If the repository vendors Froxlor or carries a fork, backport the upstream behavior instead of only changing dependency metadata: resolve and reject symlink escapes in SSH-key file handling, verify the target file remains under the customer document root, and reject control characters in DNS content before zone serialization.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-41236 / GHSA-mq5v-pxpm-8jw2, a Froxlor SSH-key
sync symlink-following flaw that can turn customer panel access into root SSH
access. Also account for CVE-2026-41234 / GHSA-37m5-m4q3-fc6x, the related
Froxlor TXT zone-file injection incomplete fix closed by the same 2.3.7
security release. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Froxlor to 2.3.7+, refreshes
  generated artifacts, adds safe regression checks or fork patches where this
  repository owns Froxlor code, and documents operator containment and audit
  actions, or
- TRIAGE.md if this repository does not control an affected Froxlor deployment,
  package pin, image, fork, or operator workflow.

## Rules

- Scope only CVE-2026-41236, CVE-2026-41234, directly related Froxlor
  2.3.7 security-release changes, and immediate operator containment.
- Do not create symlinks to root-owned files, submit malicious TXT records,
  run BIND include probes, attempt SSH login as root, or execute exploit
  payloads against developer, staging, or production systems.
- Do not print SSH private keys, API keys, customer account data, DNS secrets,
  zone-file contents that may contain sensitive records, database credentials,
  cookies, sessions, or tenant identifiers.
- Do not disable authentication, customer isolation, DNS validation, SSH-key
  validation, or tests to make the alert disappear.
- Do not auto-merge.

## Steps

1. Inventory every Froxlor reference in Composer manifests, lockfiles,
   Dockerfiles, container images, Helm/Kubernetes manifests, Ansible/Terraform
   modules, setup scripts, server-admin runbooks, mirrors, forks, and generated
   dependency reports.
2. Determine whether any controlled target resolves or deploys
   `froxlor/froxlor <2.3.7`, with special attention to `2.3.6`.
3. Search for runtime ownership of Froxlor panel, master cron,
   `REBUILD_NSSUSERS`, customer FTP users, shell access, SSH-key submission,
   DNS editing, `DomainZones.add`, TXT records, BIND zone generation, and
   customer API-key workflows.
4. If the repository does not install, deploy, vendor, fork, or document an
   affected Froxlor path, stop with `TRIAGE.md` listing checked paths, resolved
   versions, and why exposure is absent.
5. Upgrade Froxlor to `2.3.7+`. Refresh `composer.lock`, image pins,
   deployment manifests, generated docs, SBOMs, scanner evidence, and
   dependency reports.
6. If this repository vendors or forks Froxlor, patch and test the owned code:
   - reject `authorized_keys` symlinks that resolve outside the customer
     document root;
   - resolve paths before writes, ownership changes, and permission changes;
   - fail closed when target path ownership, mode, or parent directory is not
     expected;
   - reject CR, LF, tabs, and other control characters in DNS record content
     before BIND zone serialization;
   - add unit tests for symlink containment and TXT newline rejection using
     temporary directories and inert fixture domains.
7. Add temporary containment when rollout is not complete:
   - restrict customer SSH-key submission and shell-enabled FTP user changes;
   - restrict customer DNS TXT editing and API keys that can call
     `DomainZones.add`;
   - keep Froxlor master cron running only after unsafe symlink checks are
     complete;
   - record owner and follow-up date for each containment item.
8. Add operator audit notes without exposing sensitive values:
   - whether customer `authorized_keys` symlinks escaped document roots;
   - whether root SSH authorized keys changed after Froxlor customer key
     submissions;
   - whether generated zone files contain unexpected directives or
     newline-split TXT records;
   - which credentials or keys need rotation by a human owner.
9. Add a PR body section named `CVE-2026-41236 operator actions` that states:
   - Froxlor versions before and after;
   - whether shell-enabled customers, SSH keys, DNS editing, or API DNS edits
     are enabled;
   - whether a vendored fork was patched or upstream `2.3.7+` was consumed;
   - which symlink and DNS audit checks were run;
   - which temporary restrictions remain until deployment.
10. Run available validation: Composer install/update checks, lockfile
    consistency, Froxlor unit tests or fork tests, container build,
    deployment render, SBOM refresh, dependency/security scans, and safe
    operator audit scripts that avoid exploit behavior and sensitive output.
11. Use PR title:
    `fix(sec): remediate CVE-2026-41236 in Froxlor`

## Stop conditions

- No controlled Froxlor package, image, fork, deployment manifest, or operator
  workflow resolves an affected version.
- Froxlor appears only in docs or historical notes and does not drive a live
  server-admin deployment.
- Safe verification would require creating exploit symlinks, submitting
  malicious zone content, using customer accounts, reading production zone
  files, or attempting root SSH login.
- The fix belongs to a separately owned hosting platform; document the owner,
  target fixed version, containment, audit needs, and follow-up date.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

  • No controlled Composer lockfile, image, deployment manifest, SBOM, or generated report pins froxlor/froxlor <2.3.7.
  • Shell-enabled customer SSH-key paths either consume upstream 2.3.7+ or have tests proving symlink escapes are rejected before any root-owned write or ownership change.
  • DNS TXT record handling either consumes upstream 2.3.7+ or has tests proving CR/LF/control-character content cannot break generated zone lines.
  • Operator notes identify whether SSH-key and DNS containment is still active and which key or credential rotations remain human-owned.

Output contract

  • Reviewer-ready PR upgrading every controlled Froxlor target to 2.3.7+ with refreshed Composer locks, images, manifests, SBOMs, mirrors, and docs.
  • Fork/backport tests when applicable proving symlink escapes are rejected before root-owned writes and DNS TXT control characters cannot break zone serialization.
  • Operator notes for temporary SSH/DNS restrictions, customer authorized_keys symlink audit, root SSH key review, BIND zone review, and human-owned key or credential rotation.
  • TRIAGE.md when Froxlor runtime, hosting platform, customer audit, or operator containment is outside this repository.

Watch for

  • Updating composer.json without refreshing composer.lock, container images, server-admin playbooks, or mirrored release artifacts.
  • Treating CVE-2026-41236 as “just local” when the prerequisite account is a normal customer panel user with shell-enabled home-directory control.
  • Leaving customer DNS TXT editing enabled while the incomplete CVE-2026-30932 fix remains in place.
  • Audit scripts that dump full zone files, keys, customer names, or root SSH configuration into PR logs.
  • Fork patches that normalize path strings but never resolve symlinks before root-owned writes.

References