CVE-2026-32147

4.3 MEDIUM
Published: April 21, 2026 Modified: May 21, 2026
View on NVD

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory. The SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely. Any authenticated SFTP user on a server configured with the root option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector. If the SSH daemon runs as root, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4. This issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://cna.erlef.org/cves/CVE-2026-32147.html
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Vendor Advisory
https://github.com/erlang/otp/security/advisories/GHSA-28jg-mw9x-hpm5
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Vendor Advisory
https://osv.dev/vulnerability/EEF-CVE-2026-32147
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Third Party Advisory
https://www.erlang.org/doc/system/versions.html#order-of-versions
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Product

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
4.3 / 10.0
EPSS (Exploit Probability)
0.4%
27th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

Affected Vendors

erlang