CVE-2026-41236 - Froxlor SSH key symlink root access
Froxlor 2.3.6 can follow a customer-controlled symlink while its privileged
cron path synchronizes SSH keys. If a shell-enabled customer can place
~/.ssh/authorized_keys as a symlink to a root-owned target, the root-run
sync task can append the customer’s submitted SSH key to the wrong file and
turn customer panel access into root SSH access.
The same 2.3.7 security release also closes a related DNS-control-plane
problem, CVE-2026-41234: TXT record content was not fully sanitized after the
earlier Froxlor DNS newline-injection fix, allowing an authenticated
DNS-enabled customer to break out of a TXT record into generated BIND zone
content. A reviewer-ready PR should therefore treat Froxlor 2.3.7+ as the
minimum fixed target and check both the SSH-key sync boundary and the DNS zone
generation boundary.
When to use it
- A repository installs, mirrors, vendors, images, deploys, or documents
Froxlor before
2.3.7. - Froxlor manages customer home directories, shell access, SSH keys, FTP users, root-run cron sync, DNS editing, BIND zone generation, or customer API keys.
- Customers, tenants, resellers, or imported config can influence
authorized_keys, home-directory content, TXT records, or DNS API calls. - You need a bounded PR or triage note that upgrades Froxlor and documents SSH symlink plus DNS TXT containment/audit actions.
Inputs
- Composer manifests/locks, Dockerfiles, images, server-admin playbooks, deployment manifests, mirrors, generated reports, SBOMs, operator docs, and Froxlor forks.
- Shell-enabled customer state, SSH-key submission paths, DNS edit/API settings, root cron jobs, generated zone locations, symlink audit ownership, key rotation ownership, and rollout status.
- Available Composer checks, fork/unit tests, container build, deployment render, SBOM, dependency/security scans, and safe redacted audit scripts.
Affected versions
| Issue | Package | Vulnerable versions | Fixed versions |
|---|---|---|---|
| CVE-2026-41236 / GHSA-mq5v-pxpm-8jw2 | froxlor/froxlor |
2.3.6 |
2.3.7+ |
| CVE-2026-41234 / GHSA-37m5-m4q3-fc6x | froxlor/froxlor |
<=2.3.6 |
2.3.7+ |
Indicator-of-exposure
- The repository pins, vendors, builds, deploys, mirrors, or documents
froxlor/froxlorbefore2.3.7. - Froxlor manages customer home directories, FTP users, SSH keys, shell access,
or root-owned cron tasks such as
REBUILD_NSSUSERS. - Customers, tenants, resellers, automation accounts, or imported configuration can submit SSH keys or influence customer-owned home directories.
- DNS editing is enabled through Froxlor’s panel or API, especially where customers can create TXT records and BIND zone files are generated by cron.
- Froxlor runtime hosts have access to root SSH configuration, hosted customer data, DNS zone files, mail routing, certificates, databases, or control-plane credentials.
Quick checks:
rg -n "froxlor|froxlor/froxlor|REBUILD_NSSUSERS|SshKeys|authorized_keys|shell_allowed|DomainZones|DnsEntry|encloseTXTContent|bind_enable|dnsenabled|customer_ftp|api.php" .
composer show froxlor/froxlor
composer why froxlor/froxlor
rg -n "froxlor|FROXLOR|authorized_keys|bind_enable|dnsenabled|master cron|rebuildnssusers" Dockerfile* docker-compose*.yml .github deploy charts ansible terraform scripts docs .
Windows:
rg -n "froxlor|froxlor/froxlor|REBUILD_NSSUSERS|SshKeys|authorized_keys|shell_allowed|DomainZones|DnsEntry|encloseTXTContent|bind_enable|dnsenabled|customer_ftp|api.php" .
composer show froxlor/froxlor
composer why froxlor/froxlor
rg -n "froxlor|FROXLOR|authorized_keys|bind_enable|dnsenabled|master cron|rebuildnssusers" Dockerfile* docker-compose*.yml .github deploy charts ansible terraform scripts docs .
Do not create root-targeting symlinks, submit crafted TXT records, run BIND include probes, or test against production customer accounts during exposure checks.
Remediation strategy
- Upgrade every repository-controlled Froxlor deployment reference to
2.3.7+. - Refresh
composer.lock, container images, deployment manifests, SBOMs, scanner baselines, generated dependency reports, and operator docs that pin or mention the vulnerable version. - Until rollout is complete, disable or restrict customer SSH-key submission, shell-enabled FTP users, customer DNS editing, and API keys that can edit DNS TXT records.
- Audit customer home directories for
~/.ssh/authorized_keyssymlinks that resolve outside the intended customer document root. Remove unsafe links before re-enabling SSH-key sync. - Review root SSH authorized keys and Froxlor action logs around recent customer SSH-key submissions. Rotate or remove keys through the owning operator process without printing private key material or customer data.
- Review generated BIND zone files for unexpected directives or newline-split TXT records using redacted, bounded checks.
- If the repository vendors Froxlor or carries a fork, backport the upstream behavior instead of only changing dependency metadata: resolve and reject symlink escapes in SSH-key file handling, verify the target file remains under the customer document root, and reject control characters in DNS content before zone serialization.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-41236 / GHSA-mq5v-pxpm-8jw2, a Froxlor SSH-key
sync symlink-following flaw that can turn customer panel access into root SSH
access. Also account for CVE-2026-41234 / GHSA-37m5-m4q3-fc6x, the related
Froxlor TXT zone-file injection incomplete fix closed by the same 2.3.7
security release. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades Froxlor to 2.3.7+, refreshes
generated artifacts, adds safe regression checks or fork patches where this
repository owns Froxlor code, and documents operator containment and audit
actions, or
- TRIAGE.md if this repository does not control an affected Froxlor deployment,
package pin, image, fork, or operator workflow.
## Rules
- Scope only CVE-2026-41236, CVE-2026-41234, directly related Froxlor
2.3.7 security-release changes, and immediate operator containment.
- Do not create symlinks to root-owned files, submit malicious TXT records,
run BIND include probes, attempt SSH login as root, or execute exploit
payloads against developer, staging, or production systems.
- Do not print SSH private keys, API keys, customer account data, DNS secrets,
zone-file contents that may contain sensitive records, database credentials,
cookies, sessions, or tenant identifiers.
- Do not disable authentication, customer isolation, DNS validation, SSH-key
validation, or tests to make the alert disappear.
- Do not auto-merge.
## Steps
1. Inventory every Froxlor reference in Composer manifests, lockfiles,
Dockerfiles, container images, Helm/Kubernetes manifests, Ansible/Terraform
modules, setup scripts, server-admin runbooks, mirrors, forks, and generated
dependency reports.
2. Determine whether any controlled target resolves or deploys
`froxlor/froxlor <2.3.7`, with special attention to `2.3.6`.
3. Search for runtime ownership of Froxlor panel, master cron,
`REBUILD_NSSUSERS`, customer FTP users, shell access, SSH-key submission,
DNS editing, `DomainZones.add`, TXT records, BIND zone generation, and
customer API-key workflows.
4. If the repository does not install, deploy, vendor, fork, or document an
affected Froxlor path, stop with `TRIAGE.md` listing checked paths, resolved
versions, and why exposure is absent.
5. Upgrade Froxlor to `2.3.7+`. Refresh `composer.lock`, image pins,
deployment manifests, generated docs, SBOMs, scanner evidence, and
dependency reports.
6. If this repository vendors or forks Froxlor, patch and test the owned code:
- reject `authorized_keys` symlinks that resolve outside the customer
document root;
- resolve paths before writes, ownership changes, and permission changes;
- fail closed when target path ownership, mode, or parent directory is not
expected;
- reject CR, LF, tabs, and other control characters in DNS record content
before BIND zone serialization;
- add unit tests for symlink containment and TXT newline rejection using
temporary directories and inert fixture domains.
7. Add temporary containment when rollout is not complete:
- restrict customer SSH-key submission and shell-enabled FTP user changes;
- restrict customer DNS TXT editing and API keys that can call
`DomainZones.add`;
- keep Froxlor master cron running only after unsafe symlink checks are
complete;
- record owner and follow-up date for each containment item.
8. Add operator audit notes without exposing sensitive values:
- whether customer `authorized_keys` symlinks escaped document roots;
- whether root SSH authorized keys changed after Froxlor customer key
submissions;
- whether generated zone files contain unexpected directives or
newline-split TXT records;
- which credentials or keys need rotation by a human owner.
9. Add a PR body section named `CVE-2026-41236 operator actions` that states:
- Froxlor versions before and after;
- whether shell-enabled customers, SSH keys, DNS editing, or API DNS edits
are enabled;
- whether a vendored fork was patched or upstream `2.3.7+` was consumed;
- which symlink and DNS audit checks were run;
- which temporary restrictions remain until deployment.
10. Run available validation: Composer install/update checks, lockfile
consistency, Froxlor unit tests or fork tests, container build,
deployment render, SBOM refresh, dependency/security scans, and safe
operator audit scripts that avoid exploit behavior and sensitive output.
11. Use PR title:
`fix(sec): remediate CVE-2026-41236 in Froxlor`
## Stop conditions
- No controlled Froxlor package, image, fork, deployment manifest, or operator
workflow resolves an affected version.
- Froxlor appears only in docs or historical notes and does not drive a live
server-admin deployment.
- Safe verification would require creating exploit symlinks, submitting
malicious zone content, using customer accounts, reading production zone
files, or attempting root SSH login.
- The fix belongs to a separately owned hosting platform; document the owner,
target fixed version, containment, audit needs, and follow-up date.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Verification - what the reviewer looks for
- No controlled Composer lockfile, image, deployment manifest, SBOM, or
generated report pins
froxlor/froxlor <2.3.7. - Shell-enabled customer SSH-key paths either consume upstream
2.3.7+or have tests proving symlink escapes are rejected before any root-owned write or ownership change. - DNS TXT record handling either consumes upstream
2.3.7+or has tests proving CR/LF/control-character content cannot break generated zone lines. - Operator notes identify whether SSH-key and DNS containment is still active and which key or credential rotations remain human-owned.
Output contract
- Reviewer-ready PR upgrading every controlled Froxlor target to
2.3.7+with refreshed Composer locks, images, manifests, SBOMs, mirrors, and docs. - Fork/backport tests when applicable proving symlink escapes are rejected before root-owned writes and DNS TXT control characters cannot break zone serialization.
- Operator notes for temporary SSH/DNS restrictions, customer
authorized_keyssymlink audit, root SSH key review, BIND zone review, and human-owned key or credential rotation. TRIAGE.mdwhen Froxlor runtime, hosting platform, customer audit, or operator containment is outside this repository.
Watch for
- Updating
composer.jsonwithout refreshingcomposer.lock, container images, server-admin playbooks, or mirrored release artifacts. - Treating CVE-2026-41236 as “just local” when the prerequisite account is a normal customer panel user with shell-enabled home-directory control.
- Leaving customer DNS TXT editing enabled while the incomplete CVE-2026-30932 fix remains in place.
- Audit scripts that dump full zone files, keys, customer names, or root SSH configuration into PR logs.
- Fork patches that normalize path strings but never resolve symlinks before root-owned writes.
Related recipes
- Go x/crypto ssh agent forwarded constraint loss
- Critical infrastructure secure context
- CVE intelligence intake gate
References
- GitHub Advisory: https://github.com/advisories/GHSA-mq5v-pxpm-8jw2
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-41236
- Related GitHub Advisory: https://github.com/advisories/GHSA-37m5-m4q3-fc6x
- Froxlor release 2.3.7: https://github.com/froxlor/froxlor/releases/tag/2.3.7