Improper Authorization in Froxlor - #VU135771
Published: June 29, 2026
Froxlor
Detailed vulnerability description
The vulnerability allows a remote user to create MySQL databases on disallowed servers.
The vulnerability exists due to improper authorization in the Mysqls.add API command when processing a customer-supplied mysql_server parameter. A remote user can send a specially crafted API request to create MySQL databases on disallowed servers.
Exploitation requires valid customer API credentials and is limited to creating and managing a newly provisioned database on an operator-configured server outside the customer's allowlist.