ProFTPD through 1.3.9b and 1.3.10rc2 contains an access...
High severity
Unreviewed
Published
Jun 24, 2026
to the GitHub Advisory Database
•
Updated Jun 24, 2026
Description
Published by the National Vulnerability Database
Jun 24, 2026
Published to the GitHub Advisory Database
Jun 24, 2026
Last updated
Jun 24, 2026
ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.
References