CVE-2026-35025

Name: CVE-2026-35025
Creator: NVD / NIST
Published: 2026-06-24T14:17:30.95+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.6/10EPSS 0.34%

Last modified Jun 25, 2026

This CVE is reserved or awaiting analysis. Details will appear once published by NVD.

Description

ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.

Metrics

CVSS 3.1

8.1/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0

8.6/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.34%

26.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-59

References

Timeline

Published: Jun 24, 2026
Last Modified: Jun 25, 2026
Status: Awaiting Analysis

Are you affected by CVE-2026-35025?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST