Home

Description

A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts.

PUBLISHED Reserved 2026-02-26 | Published 2026-02-26 | Updated 2026-02-26 | Assigner redhat




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Problem types

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Product status

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Timeline

2026-02-26:Reported to Red Hat.
2026-02-26:Made public.

Credits

Red Hat would like to thank Codean Labs for reporting this issue.

References

access.redhat.com/security/cve/CVE-2026-28296 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2443003 (RHBZ#2443003) issue-tracking

cve.org (CVE-2026-28296)

nvd.nist.gov (CVE-2026-28296)

Download JSON