ProFTPD mod_sql unauth RCE (CVE-2026-42167) [PoC]
CVE-2026-42167
CVE-2026-42167: ProFTPD mod_sql before 1.3.10rc1 lets attackers achieve unauthenticated RCE via crafted SQL username (CVSS 8.1). Update to 1.3.10rc1 or later.
Exploitation confirmed - public proof-of-concept - CVE-2026-42167 is a high-severity remote code execution in ProFTPD mod_sql before 1.3.10rc1 that lets unauthenticated attackers run arbitrary commands on the server by sending a malicious username. Patched in 1.3.10rc1 - update immediately.
Overview
CVE-2026-42167 affects the mod_sql module in ProFTPD, a widely used FTP server. The vulnerability combines two factors: ProFTPD logs USER requests with an expansion such as %U, and the configured SQL backend supports command execution, for example through PostgreSQL’s COPY ... TO PROGRAM. By submitting a specially crafted username containing SQL commands, an unauthenticated attacker can trigger arbitrary code execution on the database server or the ProFTPD host.
Impact
Successful exploitation grants the attacker arbitrary command execution without authentication. Depending on the SQL backend configuration and database user permissions, the attacker could run system commands, exfiltrate data, install malware, or pivot to other internal systems. The CVSS 8.1 score reflects the high impact balanced by the high attack complexity, as the attacker must target a system that uses SQL logging with an %U expansion and a backend that permits commands. However, public PoC code lowers the barrier to exploitation.
Affected Versions
All ProFTPD versions before 1.3.10rc1 are affected. Systems that do not use mod_sql or do not log USER requests with %U are not vulnerable.
Remediation
Upgrade to ProFTPD 1.3.10rc1 or later. As a mitigation, disable SQL logging of USER request expansions such as %U if upgrading is not immediately possible. Ensure the SQL database user used by ProFTPD has minimal privileges — revoke COPY and other command-execution permissions if your backend supports them.
Related reading: iOS Bug Let FBI Recover Deleted Signal Messages highlights how delayed patching of seemingly minor features can lead to data recovery, while LangChain, LangGraph Flaws Expose Files, Secrets, demonstrates a similar pattern of combined features enabling RCE. Apple Fixes WebKit Vulnerability Enabling Same-Origin shows the importance of preventing feature interactions that bypass security boundaries.
Security Insight
CVE-2026-42167 is a textbook example of a vulnerability emerging not from a single buggy function, but from the unintended interaction of two legitimate features: log expansion and SQL command execution. This pattern recurs across open-source projects where feature richness outpaces security review of cross-module interactions. For ProFTPD maintainers, this should prompt a review of all modules that expand user-controlled input, particularly when the output reaches SQL or shell contexts.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Public PoC References
Unverified third-party code
These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).
Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.
| Repository | Stars |
|---|---|
| ZeroPathAI/proftpd-CVE-2026-42167-poc POCs to demonstrate CVE-2026-42167 in ProFTPD | ★ 21 |
| jimmexploit/CVE-2026-42167-PoC ProFTPD SQL injection PoC | ★ 1 |
| Sl4cK0TH/CVE-2026-42167-PoC Pre-Auth RCE in ProFTPD via mod_sql is_escaped_text() bypass (CVE-2026-42167) | ★ 0 |
| efeanilarslan/CVE-2026-42167-Exploit Python exploit for CVE-2026-42167 (ProFTPD mod_sql). Features automated file scanning and timing-based blind data exfiltration. | ★ 0 |
Showing 4 of 4 known references. Source: nomi-sec/PoC-in-GitHub.
Related Advisories
Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Attackers can s...
XATABoost CMS 1.0.0 contains a union-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter. Attackers ca...
SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0....
SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the contactno parameter of the forgot password page (forgot-password.php). This allows ...