Skip to main content

ProFTPD CVE-2026-44331

| EUVDEUVD-2026-27484 HIGH
SQL Injection (CWE-89)
2026-05-05 mitre GHSA-jmg2-v72j-gmvc
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 20:32 vuln.today
Analysis Generated
May 05, 2026 - 20:32 vuln.today

DescriptionCVE.org

In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.

AnalysisAI

SQL injection in ProFTPD 1.3.9a and earlier allows remote attackers to execute arbitrary SQL commands when the 'UseReverseDNS on' configuration is enabled. The vulnerability exists in mod_wrap2_sql.c where attacker-controlled reverse DNS hostnames are passed unescaped into SQL queries during client access control checks. Exploitation complexity is high due to DNS character restrictions and specific configuration requirements. No active exploitation confirmed (not in CISA KEV), but upstream fix is available via GitHub commit 7666224. EPSS risk data not provided.

Technical ContextAI

ProFTPD's mod_wrap2_sql module implements TCP Wrappers-style access control using SQL databases. The sqltab_fetch_clients_cb() function performs reverse DNS lookups on connecting client IP addresses to resolve hostnames, then queries an SQL database to check access permissions. The CWE-89 SQL injection vulnerability occurs because the resolved hostname is concatenated directly into SQL queries without sanitization. The fix introduces sqltab_get_escaped_text() which calls mod_sql.c's sql_escapestr hook to properly escape user-controlled data before database operations. This affects installations using both mod_wrap2_sql for access control AND UseReverseDNS enabled, requiring mod_sql.c to be loaded. The attack surface is limited to reverse DNS responses, which are constrained by RFC-compliant DNS character sets (alphanumeric, hyphens, dots), though creative encoding may bypass these restrictions.

RemediationAI

Apply the upstream fix by upgrading to ProFTPD builds incorporating commit 766622456440fbca33abd7927c523673a11d1ed1 or later, which introduces proper SQL escaping via the sql_escapestr hook in mod_wrap2_sql.c (module version updated to 1.1). Source available at https://github.com/proftpd/proftpd/commit/766622456440fbca33abd7927c523673a11d1ed1. No tagged release version incorporating this fix is confirmed at time of analysis; administrators may need to build from source or await vendor-packaged updates. Immediate workaround: disable UseReverseDNS in proftpd.conf (set to 'off'), which eliminates the attack vector but sacrifices hostname-based access controls and may break configurations relying on DNS names in mod_wrap2_sql tables. Alternative mitigation: switch from mod_wrap2_sql to file-based mod_wrap2_file for access control, though this requires reconfiguring access policies and loses SQL-based centralized management. Ensure mod_sql.c is loaded if continuing to use mod_wrap2_sql, as the fix depends on the sql_escapestr symbol.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP6 Fixed

Share

CVE-2026-44331 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy