CVE-2026-35025: Improper Link Resolution Before File Access ('Link Following') in ProFTPD Project ProFTPD
ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.
AI Analysis
Technical Summary
CVE-2026-35025 affects ProFTPD through version 1.3.9 and 1.3.10rc2, where an access control bypass vulnerability exists due to improper link resolution before file access. Authenticated FTP users can prefix paths with /proc/self/root in the RNFR command handler to exploit unresolved symlink components in the dir_canonical_path() function. This causes dir_check() to perform lexical path comparisons that do not match any configured Directory block, allowing rename operations on files within DenyAll-protected directories and subsequent unauthorized retrieval. The vulnerability does not affect sessions configured with DefaultRoot (chroot), as chroot changes the directory to which /proc/self/root resolves.
Potential Impact
Authenticated FTP users can bypass directory access control restrictions, enabling them to rename and retrieve files in directories that should be protected by DenyAll ACLs. This compromises the confidentiality and integrity of files within those directories. The vulnerability has a high severity with a CVSS 4.0 score of 8.6, indicating significant impact if exploited.
Mitigation Recommendations
No official patch or remediation level is currently confirmed. Sessions configured with DefaultRoot (chroot) are not affected and can be used as a mitigation. Users should consider configuring DefaultRoot to prevent exploitation. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-35025: Improper Link Resolution Before File Access ('Link Following') in ProFTPD Project ProFTPD
Description
ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.
CVSS v4.0
Score 8.6high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35025 affects ProFTPD through version 1.3.9 and 1.3.10rc2, where an access control bypass vulnerability exists due to improper link resolution before file access. Authenticated FTP users can prefix paths with /proc/self/root in the RNFR command handler to exploit unresolved symlink components in the dir_canonical_path() function. This causes dir_check() to perform lexical path comparisons that do not match any configured Directory block, allowing rename operations on files within DenyAll-protected directories and subsequent unauthorized retrieval. The vulnerability does not affect sessions configured with DefaultRoot (chroot), as chroot changes the directory to which /proc/self/root resolves.
Potential Impact
Authenticated FTP users can bypass directory access control restrictions, enabling them to rename and retrieve files in directories that should be protected by DenyAll ACLs. This compromises the confidentiality and integrity of files within those directories. The vulnerability has a high severity with a CVSS 4.0 score of 8.6, indicating significant impact if exploited.
Mitigation Recommendations
No official patch or remediation level is currently confirmed. Sessions configured with DefaultRoot (chroot) are not affected and can be used as a mitigation. Users should consider configuring DefaultRoot to prevent exploitation. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-03-31T20:40:15.618Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3be194eed863c81eeb964e
Added to database: 06/24/2026, 13:54:28 UTC
Last enriched: 06/24/2026, 14:09:22 UTC
Last updated: 06/24/2026, 19:05:15 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.