CVE-2026-35025
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk27th percentile — higher than 27% of all known CVEs
Summary
A vulnerability in ProFTPD up to versions 1.3.9b and 1.3.10rc2 allows authenticated FTP users to bypass Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval.
Risk Assessment
The organization is at risk of unauthorized access to files in ACL-protected directories, potentially leading to data leakage. The attack requires authentication but can be performed by any logged-in FTP user.
Recommendation
Upgrade ProFTPD to version 1.3.9c or later which includes the fix. As a temporary mitigation, configure DefaultRoot (chroot) for all FTP sessions, which prevents the vulnerability.
Original NVD description (English source)
ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.

