CVE-2026-23942 (GCVE-0-2026-23942)
Vulnerability from cvelistv5 – Published: 2026-03-13 09:11 – Updated: 2026-03-13 16:07
VLAI?
Title
SFTP root escape via component-agnostic prefix check in ssh_sftpd
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.
This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2.
The SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root.
This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
Credits
Luigino Camastra / Aisle Research
Jakub Witczak
Michał Wąsowski
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:02:31.222384Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:02:38.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftpd"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:is_within_root/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "5.5.1",
"status": "unaffected"
},
{
"at": "5.2.11.6",
"status": "unaffected"
},
{
"at": "5.1.4.14",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0.1",
"versionType": "otp"
},
{
"changes": [
{
"at": "pkg:otp/ssh@5.5.1",
"status": "unaffected"
},
{
"at": "pkg:otp/ssh@5.2.11.6",
"status": "unaffected"
},
{
"at": "pkg:otp/ssh@5.1.4.14",
"status": "unaffected"
}
],
"lessThan": "pkg:otp/ssh@*",
"status": "affected",
"version": "pkg:otp/ssh@3.0.1",
"versionType": "purl"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftpd"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:is_within_root/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.4.1",
"status": "unaffected"
},
{
"at": "27.3.4.9",
"status": "unaffected"
},
{
"at": "26.2.5.18",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "27688a824f753d4c16371dc70e88753fb410590b",
"status": "unaffected"
},
{
"at": "9e0ac85d3485e7898e0da88a14be0ee2310a3b28",
"status": "unaffected"
},
{
"at": "5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.9",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.4.1",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Luigino Camastra / Aisle Research"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jakub Witczak"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Micha\u0142 W\u0105sowski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routines \u003ctt\u003essh_sftpd:is_within_root/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe SFTP server uses string prefix matching via \u003ctt\u003elists:prefix/2\u003c/tt\u003e rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to \u003ctt\u003e/home/user1\u003c/tt\u003e, paths like \u003ctt\u003e/home/user10\u003c/tt\u003e or \u003ctt\u003e/home/user1_backup\u003c/tt\u003e would incorrectly be considered within the root.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2.\n\nThe SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:07:54.430Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-4749-w85x-hw9h"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/27688a824f753d4c16371dc70e88753fb410590b"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/9e0ac85d3485e7898e0da88a14be0ee2310a3b28"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SFTP root escape via component-agnostic prefix check in ssh_sftpd",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive or precious data is readable or writable by the OS user running the Erlang VM.\u003c/li\u003e\u003cli\u003eEnsure that the SFTP server port is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eUse directory naming conventions that avoid common prefixes (e.g., \u003ctt\u003e/home/users/alice/\u003c/tt\u003e instead of \u003ctt\u003e/home/user1/\u003c/tt\u003e).\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Use OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment.\n* Ensure that no sensitive or precious data is readable or writable by the OS user running the Erlang VM.\n* Ensure that the SFTP server port is not reachable from untrusted machines.\n* Use directory naming conventions that avoid common prefixes (e.g., /home/users/alice/ instead of /home/user1/)."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-23942",
"datePublished": "2026-03-13T09:11:56.424Z",
"dateReserved": "2026-01-19T14:23:14.343Z",
"dateUpdated": "2026-03-13T16:07:54.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-23942\",\"sourceIdentifier\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"published\":\"2026-03-13T19:54:15.520\",\"lastModified\":\"2026-03-13T19:54:15.520\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.\\n\\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2.\\n\\nThe SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root.\\n\\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/erlang/otp/commit/27688a824f753d4c16371dc70e88753fb410590b\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/erlang/otp/commit/5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/erlang/otp/commit/9e0ac85d3485e7898e0da88a14be0ee2310a3b28\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/erlang/otp/security/advisories/GHSA-4749-w85x-hw9h\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://www.erlang.org/doc/system/versions.html#order-of-versions\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-23942\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-13T16:02:31.222384Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-13T16:02:34.677Z\"}}], \"cna\": {\"title\": \"SFTP root escape via component-agnostic prefix check in ssh_sftpd\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Luigino Camastra / Aisle Research\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Jakub Witczak\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"Micha\\u0142 W\\u0105sowski\"}], \"impacts\": [{\"capecId\": \"CAPEC-126\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-126 Path Traversal\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:erlang:erlang\\\\/otp:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/erlang/otp\", \"vendor\": \"Erlang\", \"modules\": [\"ssh_sftpd\"], \"product\": \"OTP\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"5.5.1\", \"status\": \"unaffected\"}, {\"at\": \"5.2.11.6\", \"status\": \"unaffected\"}, {\"at\": \"5.1.4.14\", \"status\": \"unaffected\"}], \"version\": \"3.0.1\", \"lessThan\": \"*\", \"versionType\": \"otp\"}, {\"status\": \"affected\", \"changes\": [{\"at\": \"pkg:otp/ssh@5.5.1\", \"status\": \"unaffected\"}, {\"at\": \"pkg:otp/ssh@5.2.11.6\", \"status\": \"unaffected\"}, {\"at\": \"pkg:otp/ssh@5.1.4.14\", \"status\": \"unaffected\"}], \"version\": \"pkg:otp/ssh@3.0.1\", \"lessThan\": \"pkg:otp/ssh@*\", \"versionType\": \"purl\"}], \"packageURL\": \"pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git\", \"packageName\": \"ssh\", \"programFiles\": [\"src/ssh_sftpd.erl\"], \"defaultStatus\": \"unknown\", \"programRoutines\": [{\"name\": \"ssh_sftpd:is_within_root/2\"}]}, {\"cpes\": [\"cpe:2.3:a:erlang:erlang\\\\/otp:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/erlang/otp\", \"vendor\": \"Erlang\", \"modules\": [\"ssh_sftpd\"], \"product\": \"OTP\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"28.4.1\", \"status\": \"unaffected\"}, {\"at\": \"27.3.4.9\", \"status\": \"unaffected\"}, {\"at\": \"26.2.5.18\", \"status\": \"unaffected\"}], \"version\": \"17.0\", \"lessThan\": \"*\", \"versionType\": \"otp\"}, {\"status\": \"affected\", \"changes\": [{\"at\": \"27688a824f753d4c16371dc70e88753fb410590b\", \"status\": \"unaffected\"}, {\"at\": \"9e0ac85d3485e7898e0da88a14be0ee2310a3b28\", \"status\": \"unaffected\"}, {\"at\": \"5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759\", \"status\": \"unaffected\"}], \"version\": \"0\", \"lessThan\": \"*\", \"versionType\": \"git\"}], \"packageURL\": \"pkg:github/erlang/otp\", \"packageName\": \"erlang/otp\", \"programFiles\": [\"lib/ssh/src/ssh_sftpd.erl\"], \"collectionURL\": \"https://github.com\", \"defaultStatus\": \"unknown\", \"programRoutines\": [{\"name\": \"ssh_sftpd:is_within_root/2\"}]}], \"references\": [{\"url\": \"https://github.com/erlang/otp/security/advisories/GHSA-4749-w85x-hw9h\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://www.erlang.org/doc/system/versions.html#order-of-versions\", \"tags\": [\"x_version-scheme\"]}, {\"url\": \"https://github.com/erlang/otp/commit/27688a824f753d4c16371dc70e88753fb410590b\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/erlang/otp/commit/9e0ac85d3485e7898e0da88a14be0ee2310a3b28\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/erlang/otp/commit/5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759\", \"tags\": [\"patch\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"* Use OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment.\\n* Ensure that no sensitive or precious data is readable or writable by the OS user running the Erlang VM.\\n* Ensure that the SFTP server port is not reachable from untrusted machines.\\n* Use directory naming conventions that avoid common prefixes (e.g., /home/users/alice/ instead of /home/user1/).\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive or precious data is readable or writable by the OS user running the Erlang VM.\u003c/li\u003e\u003cli\u003eEnsure that the SFTP server port is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eUse directory naming conventions that avoid common prefixes (e.g., \u003ctt\u003e/home/users/alice/\u003c/tt\u003e instead of \u003ctt\u003e/home/user1/\u003c/tt\u003e).\u003c/li\u003e\u003c/ul\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.\\n\\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2.\\n\\nThe SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root.\\n\\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routines \u003ctt\u003essh_sftpd:is_within_root/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe SFTP server uses string prefix matching via \u003ctt\u003elists:prefix/2\u003c/tt\u003e rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to \u003ctt\u003e/home/user1\u003c/tt\u003e, paths like \u003ctt\u003e/home/user10\u003c/tt\u003e or \u003ctt\u003e/home/user1_backup\u003c/tt\u003e would incorrectly be considered within the root.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:erlang:erlang\\\\/otp:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"26.2.5.18\"}, {\"criteria\": \"cpe:2.3:a:erlang:erlang\\\\/otp:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"27.3.4.9\", \"versionStartIncluding\": \"27.0\"}, {\"criteria\": \"cpe:2.3:a:erlang:erlang\\\\/otp:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"28.4.1\", \"versionStartIncluding\": \"28.0\"}], \"operator\": \"OR\"}], \"operator\": \"AND\"}], \"providerMetadata\": {\"orgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"shortName\": \"EEF\", \"dateUpdated\": \"2026-03-13T16:07:54.430Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-23942\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-13T16:07:54.430Z\", \"dateReserved\": \"2026-01-19T14:23:14.343Z\", \"assignerOrgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"datePublished\": \"2026-03-13T09:11:56.424Z\", \"assignerShortName\": \"EEF\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…