GHSA-f9rx-7wf7-jr36: Froxlor's API Authentication bypasses 2FA Authentication

June 3, 2026

Froxlor’s API authentication (FroxlorRPC::validateAuth) does not enforce Two-Factor Authentication. When a user (admin or customer) enables 2FA on their account, the web UI correctly requires a TOTP code after password verification. However, the API accepts requests authenticated with only an API key and secret — no TOTP challenge is issued, checked, or required.

An attacker who obtains a leaked API key+secret for a 2FA-protected account has full access to all API operations without providing a second factor.

References

github.com/advisories/GHSA-34qg-65m4-f23m
github.com/advisories/GHSA-f9rx-7wf7-jr36
github.com/froxlor/froxlor/releases/tag/2.3.7
github.com/froxlor/froxlor/security/advisories/GHSA-f9rx-7wf7-jr36

Code Behaviors & Features

Detect and mitigate GHSA-f9rx-7wf7-jr36 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →