CVE-2026-35025

ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dircanonicalpath() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35025.json",
    "cwe_ids": [
        "CWE-59"
    ],
    "cna_assigner": "VulnCheck"
}

References

Affected packages

Git / github.com/proftpd/proftpd

Affected ranges

Type

GIT

Repo

https://github.com/proftpd/proftpd

Events

Introduced

Last affected

390b21555268bbc64b66d2dfa7ae40476419b80f

Last affected

13aec2ef773d981d9e64d9618fcfaa3238f21a8e

Database specific

{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.3.9b"
        },
        {
            "last_affected": "1.3.10rc2"
        }
    ]
}

Affected versions

v1.*

v1.3.10rc1

v1.3.10rc2

v1.3.10rc2-2

v1.3.6

v1.3.6rc1

v1.3.6rc2

v1.3.6rc3

v1.3.6rc4

v1.3.7

v1.3.7rc1

v1.3.7rc2

v1.3.7rc3

v1.3.7rc4

v1.3.8

v1.3.8rc1

v1.3.8rc2

v1.3.8rc3

v1.3.8rc4

v1.3.9

v1.3.9a

v1.3.9b

v1.3.9rc1

v1.3.9rc2

v1.3.9rc3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-35025.json"