Improper Authentication in Froxlor - #VU135776
Published: June 29, 2026
Froxlor
Detailed vulnerability description
The vulnerability allows a remote user to bypass two-factor authentication and gain full access to API operations.
The vulnerability exists due to improper authentication in FroxlorRPC::validateAuth when handling API authentication with an API key and secret for an account with 2FA enabled. A remote user can use a leaked API key and secret to bypass two-factor authentication and gain full access to API operations.
The issue affects accounts that have 2FA enabled because the API path does not issue or verify a TOTP challenge, unlike the web UI.