- CVE: CVE-2026-35025
- CVSS: 8.6 (High · CVSSv4)
- Product: ProFTPD Project ProFTPD
- Affected: ≤ 1.3.9b, ≤ 1.3.10rc2
- Impact: ProFTPD ACL Bypass via /proc/self/root Path Prefix in RNFR
- Status: No confirmed exploitation yet
- EPSS: 0.3% (30-day)
- Action: Update to the latest version as soon as available!
TL;DR
A new ProFTPD ACL bypass, CVE-2026-35025, scores 8.6 on CVSS. It lets a logged-in FTP user reach files inside restricted directories. No patch exists yet, but a workaround does.
Why It Matters
ProFTPD runs on many Unix and Linux servers. Hosting providers often use it to give customers file access without shell accounts. Therefore, strong directory limits matter. This ProFTPD ACL bypass breaks those limits. As a result, an attacker could read files that a DenyAll rule should block. That exposure threatens both confidentiality and integrity on shared FTP hosts.
How the Attack Works
The flaw lives in the RNFR command handler. An attacker prefixes a path with /proc/self/root. That trick uses unresolved symlink parts in dir_canonical_path(). Consequently, dir_check() runs a text-only path comparison. The comparison matches no configured Directory block, so the server skips the ACL check.
From there, the attacker renames files in protected folders. They can then retrieve those files. The bug needs valid login credentials first, so it stays post-authentication.
Affected Versions
The issue affects ProFTPD through 1.3.9b and the 1.3.10rc2 release candidate. It maps to CWE-59, improper link resolution before file access. VulnCheck assigned the CVE, which carries an 8.6 CVSS v4 score and an 8.1 CVSS v3.1 score. The researcher “djnn” reported it in a public GitHub issue on June 24.
Exploitation Status
No public proof-of-concept has been confirmed. Likewise, no in-the-wild exploitation has been reported so far.
Patch and Mitigation
No fixed release is available yet. Until then, set DefaultRoot to chroot user sessions. Chroot changes where /proc/self/root resolves, which closes the gap. Admins should also review their Directory ACLs and watch for an upstream update.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.