{"id":"CVE-2026-35025","summary":"ProFTPD ACL Bypass via /proc/self/root Path Prefix in RNFR","details":"ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.","modified":"2026-07-08T08:12:57.906756187Z","published":"2026-06-24T13:21:42.281Z","database_specific":{"cwe_ids":["CWE-59"],"cna_assigner":"VulnCheck","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35025.json"},"references":[{"type":"WEB","url":"http://www.proftpd.org/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35025.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35025"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/proftpd-acl-bypass-via-proc-self-root-path-prefix-in-rnfr"},{"type":"PACKAGE","url":"https://github.com/proftpd/proftpd"},{"type":"ARTICLE","url":"https://github.com/proftpd/proftpd/issues/2170"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/proftpd/proftpd","events":[{"introduced":"0"},{"last_affected":"390b21555268bbc64b66d2dfa7ae40476419b80f"},{"introduced":"df75a382880e68d8c0f252cf930a7d78c57a9f6f"},{"last_affected":"13aec2ef773d981d9e64d9618fcfaa3238f21a8e"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"1.3.9b"},{"introduced":"1.3.10-rc1"},{"last_affected":"1.3.10-rc1"},{"introduced":"1.3.10-rc2"},{"last_affected":"1.3.10-rc2"}],"cpe":["cpe:2.3:a:proftpd:proftpd:*:*:*:*:*:*:*:*","cpe:2.3:a:proftpd:proftpd:1.3.10:rc1:*:*:*:*:*:*","cpe:2.3:a:proftpd:proftpd:1.3.10:rc2:*:*:*:*:*:*"],"source":["CPE_RANGE","CPE_STRING"]}}],"versions":["1.3.10-rc1","1.3.10-rc2","v1.3.9b","v1.3.10rc2-2","v1.3.10rc2","v1.3.9a","v1.3.10rc1","v1.3.9","v1.3.9rc3","v1.3.9rc2","v1.3.9rc1","v1.3.8","v1.3.8rc4","v1.3.8rc3","v1.3.8rc2","v1.3.8rc1","v1.3.7","v1.3.7rc4","v1.3.7rc3","v1.3.7rc2","v1.3.7rc1","v1.3.6","v1.3.6rc4","v1.3.6rc3","v1.3.6rc2","v1.3.6rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35025.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}]}