GHSA-F9RX-7WF7-JR36: GHSA-F9RX-7WF7-JR36: Two-Factor Authentication Bypass and Passwordless API Key Creation in Froxlor

GHSA-F9RX-7WF7-JR36: Two-Factor Authentication Bypass and Passwordless API Key Creation in Froxlor

Vulnerability ID: GHSA-F9RX-7WF7-JR36
CVSS Score: 8.1
Published: 2026-06-03

An architectural flaw in the Froxlor server administration control panel allows attackers to completely bypass Two-Factor Authentication (2FA) by issuing commands directly through the API. The API authentication routine in 'FroxlorRPC::validateAuth' fails to check the account's 2FA status, enabling arbitrary execution of administrative and customer actions. Furthermore, in versions prior to 2.3.7, API keys could be created without validating the current user password, exposing users to persistent backdoor access via session hijacking or CSRF.

TL;DR

Froxlor's API endpoint completely omits Two-Factor Authentication status checks. Attackers possessing an API key can execute administrative commands on 2FA-protected accounts. Additionally, versions prior to 2.3.7 allowed passwordless generation of these keys.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-287
• Attack Vector: Network
• CVSS v3.1: 8.1
• Exploit Status: Proof of Concept
• KEV Status: Not Listed

Affected Systems

• Froxlor Server Administration Control Panel
• Froxlor: < 2.3.7 (Fixed in: 2.3.7)

Exploit Details

• Froxlor Technical Security Research Report: Proof of Concept script demonstrating the extraction of customer data bypassing the 2FA requirement

Mitigation Strategies

• Upgrade Froxlor to version 2.3.7 or higher to enforce password validation for API key creation.
• Audit all active API keys in the database and revoke any legacy or unrecognized keys.
• Restrict network access to /api.php using IP-based whitelisting within the web server configuration.
• Enable query logging and monitor administrative API actions for anomalous source IP addresses.

Remediation Steps:

1. Navigate to the Froxlor installation root and pull the latest release updates for version 2.3.7.
2. Run database migrations and clear the application cache to apply the security fixes.
3. Instruct all administrators and customers utilizing 2FA to regenerate their API key credentials.
4. Review the web server configuration to ensure /api.php is only accessible from known IP ranges if programmatic access is restricted.

References

• Official GitHub Security Advisory GHSA-F9RX-7WF7-JR36
• GitHub Advisory Database Entry
• Related Advisory

---

Read the full report for GHSA-F9RX-7WF7-JR36 on our website for more details including interactive diagrams and full exploit analysis.