CVE-2026-44331

CVE-2026-44331 is a SQL injection vulnerability in ProFTPD versions through 1.3.9a before commit 7666224, specifically affecting the sqltab_fetch_clients_cb() function in contrib/mod_wrap2_sql.c. The flaw arises when the "UseReverseDNS on" configuration is enabled, allowing an attacker-supplied hostname from a reverse DNS lookup to be passed unescaped into SQL queries. This enables injection of arbitrary SQL commands via a crafted domain name, though DNS name character restrictions may limit exploitability. The vulnerability is rated 8.1 on the CVSS 3.1 scale (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-89.

A remote attacker with no privileges can exploit this vulnerability by controlling the hostname returned during a reverse DNS lookup for an incoming connection. Successful exploitation grants high confidentiality, integrity, and availability impacts through arbitrary SQL command execution against the backend database used by mod_wrap2_sql, potentially leading to data exfiltration, modification, or server compromise. The high attack complexity stems from the need to craft a domain name that evades DNS restrictions while forming valid malicious SQL.

Mitigation is addressed in the ProFTPD GitHub repository via commit 766622456440fbca33abd7927c523673a11d1ed1, which resolves the issue in versions prior to its application. Security practitioners should update ProFTPD to include this commit or later, or disable the UseReverseDNS option in configurations employing mod_wrap2_sql. Further details are available in the associated GitHub issue at https://github.com/proftpd/proftpd/issues/2057.