CVE-2026-28295 is a medium-severity SSRF vulnerability affecting the FTP GVfs backend component in Red Hat Enterprise Linux 10. The flaw arises because the FTP client implementation unconditionally trusts the IP address and port provided by an FTP server in its passive mode (PASV) response. In FTP passive mode, the server tells the client which IP and port to connect to for data transfer. A malicious FTP server can exploit this by supplying arbitrary IP addresses and ports, causing the client to initiate connections to unintended internal or external network endpoints. This behavior effectively allows the attacker to use the client as a proxy to scan or probe internal network resources that the client can access but the attacker cannot directly reach. The vulnerability does not require authentication but does require user interaction in the form of connecting to a malicious FTP server. The impact is primarily information disclosure through network reconnaissance rather than direct compromise or data modification. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) reflects network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, limited confidentiality impact, and no integrity or availability impact. No patches or known exploits are currently documented, but the flaw represents a risk for environments where users connect to untrusted FTP servers. The vulnerability highlights the risks of trusting external input in network protocols and the potential for SSRF to facilitate internal network discovery.

The primary impact of CVE-2026-28295 is the potential for attackers controlling malicious FTP servers to perform internal network reconnaissance by leveraging vulnerable clients. This can lead to the disclosure of internal IP addresses, open ports, and services that are otherwise inaccessible to the attacker. Such information can be used to plan further attacks, including lateral movement, exploitation of internal services, or targeted attacks against critical infrastructure. Although the vulnerability does not directly compromise confidentiality, integrity, or availability of the client system, it increases the attack surface by revealing network topology and accessible services. Organizations with sensitive internal networks, segmented environments, or critical infrastructure could face increased risk if attackers gain insight into internal network configurations. The requirement for user interaction (connecting to a malicious FTP server) limits the scope somewhat, but phishing or social engineering could be used to induce such connections. Overall, the vulnerability poses a moderate risk, especially in environments where FTP is used and users may connect to untrusted servers.

To mitigate CVE-2026-28295, organizations should implement the following specific measures: 1) Avoid connecting to untrusted or unknown FTP servers, especially those outside the organization or internet. 2) Configure FTP clients or GVfs to restrict or validate PASV response IP addresses, ensuring connections are only made to expected or internal IP ranges. 3) Employ network segmentation and firewall rules to limit outbound connections from client machines to only necessary IP addresses and ports, preventing arbitrary connections triggered by malicious PASV responses. 4) Monitor network traffic for unusual outbound FTP data connections to unexpected IPs or ports. 5) Educate users about the risks of connecting to untrusted FTP servers and implement policies restricting FTP usage to trusted sources. 6) Stay updated with Red Hat security advisories for patches or updates addressing this vulnerability and apply them promptly once available. 7) Consider disabling or replacing the FTP GVfs backend with more secure file transfer protocols or clients that validate PASV responses. These targeted mitigations go beyond generic advice by focusing on controlling and validating the PASV response handling and limiting the ability of clients to make arbitrary network connections.