CVE-2026-42167

CVE-2026-42167 affects the mod_sql module in ProFTPD versions before 1.3.9a. The vulnerability stems from improper handling of usernames in SQL queries, enabling remote attackers to execute arbitrary code. This occurs in configurations where USER requests are logged using expansions like %U and the SQL backend supports commands such as COPY TO PROGRAM, classified under CWE-89 (SQL Injection) with a CVSS v3.1 score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote unauthenticated attackers can exploit the flaw over the network by submitting a malicious username during the authentication process. Successful exploitation leads to arbitrary code execution on the server, with high complexity required but no privileges or user interaction needed.

Mitigation involves upgrading to ProFTPD 1.3.9a or later, as indicated by the vulnerability's versioning. Official release notes for 1.3.10rc1 detail fixes at proftpd.org/docs/RELEASE_NOTES-1.3.10rc1, while a GitHub issue at proftpd/proftpd/issues/2052 tracks discussion. Additional resources include an OSS-security mailing list post from May 2026, a proof-of-concept at ZeroPathAI/proftpd-CVE-2026-42167-poc, and a ZeroPath blog analyzing authentication bypass, privilege escalation, and RCE aspects.