# CVE-2026-35025

## Summary

ProFTPD ACL bypass via /proc/self/root path prefix in RNFR

## Description

ProFTPD through 1.3.9b and 1.3.10rc2 contains an access-control bypass in the FTP RNFR command handler. An authenticated FTP user can prefix paths with /proc/self/root so unresolved symlink components in dir_canonical_path() cause dir_check() lexical path comparisons to miss configured Directory blocks. The expected runtime proof is a real ProFTPD FTP server with a user, a DenyAll-protected directory, and an FTP client flow that shows direct access/rename is denied but RNFR using the /proc/self/root-prefixed path allows rename and subsequent retrieval of protected file contents. DefaultRoot/chroot configurations are documented as not affected and should not be used for the vulnerable proof environment.

## Metadata

- Product: ProFTPD
- Severity: high
- Status: open
