CVE-2026-42167:
A SQL injection vulnerability in mod_sql for ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code by supplying a malicious username when USER request logging with expansions like %U is enabled and the SQL backend supports command execution features such as PostgreSQL's COPY TO PROGRAM.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.1High- Published Date:Apr 28, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Exploitability
- Score:2.2
- Attack Vector:NETWORK
- Attack Complexity:HIGH
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
A SQL injection vulnerability in mod_sql for ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code by supplying a malicious username when USER request logging with expansions like %U is enabled and the SQL backend supports command execution features such as PostgreSQL's COPY TO PROGRAM.
Overview
CVE-2026-42167 affects the mod_sql module in ProFTPD versions prior to 1.3.10rc1. The vulnerability is a SQL injection flaw triggered when the FTP server logs USER login requests using SQL query templates containing username expansion variables (e.g., %U). Because the username value supplied by a connecting client is not properly sanitized before being interpolated into SQL statements, a remote attacker can inject arbitrary SQL. When the underlying database backend supports operating system command execution — most notably PostgreSQL's COPY TO PROGRAM directive — this injection can be leveraged to achieve remote code execution on the server host. No authentication is required to trigger the flaw, making it exploitable by any network-accessible attacker, though successful exploitation depends on a specific and non-default server configuration. The vulnerability has been assigned a CVSS v3.1 score of 8.1 (HIGH) reflecting its potential for complete system compromise.
Remediation
- Administrators should upgrade ProFTPD to version 1.3.10rc1 or later, which contains the fix for this vulnerability. As an interim mitigation, SQL-based logging configurations that use username expansion variables such as %U in query templates should be reviewed and disabled or modified to avoid interpolating user-supplied input directly into SQL statements. Where PostgreSQL is used as the backend, database-level privileges should be audited to restrict or disable dangerous features such as COPY TO PROGRAM for the database user account utilized by ProFTPD. Network-level controls such as firewalls restricting FTP access to trusted sources can reduce exposure while a patch is being applied.
References
- - ProFTPD Release Notes 1.3.10rc1: http://www.proftpd.org/docs/RELEASE_NOTES-1.3.10rc1
- - ProFTPD GitHub Issue #2052: https://github.com/proftpd/proftpd/issues/2052
- - ZeroPath Blog – ProFTPD CVE-2026-42167 Auth Bypass, Privilege Escalation, and RCE: https://zeropath.com/blog/proftpd-cve-2026-42167-auth-bypass-privesc-rce
- - ZeroPath Proof-of-Concept Repository: https://github.com/ZeroPathAI/proftpd-CVE-2026-42167-poc
- - NVD Entry for CVE-2026-42167: https://nvd.nist.gov/vuln/detail/CVE-2026-42167
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
