{"id":"CVE-2026-35025","summary":"ProFTPD ACL Bypass via /proc/self/root Path Prefix in RNFR","details":"ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.","modified":"2026-06-25T04:04:08.522916768Z","published":"2026-06-24T13:21:42.281Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35025.json","cwe_ids":["CWE-59"],"cna_assigner":"VulnCheck"},"references":[{"type":"WEB","url":"http://www.proftpd.org/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35025.json"},{"type":"PACKAGE","url":"https://github.com/proftpd/proftpd"},{"type":"ARTICLE","url":"https://github.com/proftpd/proftpd/issues/2170"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35025"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/proftpd-acl-bypass-via-proc-self-root-path-prefix-in-rnfr"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/proftpd/proftpd","events":[{"introduced":"0"},{"last_affected":"390b21555268bbc64b66d2dfa7ae40476419b80f"},{"last_affected":"13aec2ef773d981d9e64d9618fcfaa3238f21a8e"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"1.3.9b"},{"last_affected":"1.3.10rc2"}],"source":"AFFECTED_FIELD"}}],"versions":["v1.3.9b","v1.3.10rc2-2","v1.3.10rc2","v1.3.9a","v1.3.10rc1","v1.3.9","v1.3.9rc3","v1.3.9rc2","v1.3.9rc1","v1.3.8","v1.3.8rc4","v1.3.8rc3","v1.3.8rc2","v1.3.8rc1","v1.3.7","v1.3.7rc4","v1.3.7rc3","v1.3.7rc2","v1.3.7rc1","v1.3.6","v1.3.6rc4","v1.3.6rc3","v1.3.6rc2","v1.3.6rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-35025.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}]}