Description
A malicious SCP server can send unexpected paths that could make the
client application override local files outside of working directory.
This could be misused to create malicious executable or configuration
files and make the user execute them under specific consequences.

This is the same issue as in OpenSSH, tracked as CVE-2019-6111.
Published: 2026-03-26
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file overwrite via SCP path traversal
Action: Apply patch
AI Analysis

Impact

A malicious SCP server can deliver filenames that are not properly sanitized by libssh, allowing the client to overwrite arbitrary files outside the intended working directory. This vulnerability could be used to replace system binaries, place malicious executables, or alter configuration files, potentially leading to unauthorized code execution or privilege escalation.

Affected Systems

The issue affects Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4. Any system running a vulnerable version of libssh used by SSH/SCP clients on these platforms is potentially impacted.

Risk and Exploitability

The CVSS score is 5.0, indicating moderate severity, and the EPSS score is below 1 %, suggesting a low but non‑zero likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a malicious SCP server that sends a crafted path. The client blindly accepts the path and writes to the local filesystem, providing a clear attack vector for overwrite of critical files.

Generated by OpenCVE AI on April 15, 2026 at 15:38 UTC.

Remediation

Vendor Workaround

Do not use SCP! SCP is deprecated for several years and will be removed in future releases! If you have to, the application MUST validate the path returned from `ssh_scp_request_get_filename()` is the path the application requested. The libssh does not do any writing in this case.

OpenCVE Recommended Actions

  • Update libssh to a patched version (e.g., libssh 0.12.0 or newer).
  • Replace SCP with a more secure transfer method such as SFTP or a protocol that validates filenames.
  • If SCP must be used, add code to verify that the path returned by ssh_scp_request_get_filename() matches the path that was originally requested.

Generated by OpenCVE AI on April 15, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8051-2 libssh vulnerabilities
History

Thu, 09 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat hummingbird

Thu, 26 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue as in OpenSSH, tracked as CVE-2019-6111.
Title libssh: Improper sanitation of paths received from SCP servers Libssh: improper sanitation of paths received from scp servers
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Libssh
Libssh libssh
Vendors & Products Libssh
Libssh libssh

Wed, 11 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title libssh: Improper sanitation of paths received from SCP servers
Weaknesses CWE-22
References
Metrics threat_severity

None

 cvssV3_0

{'score': 5.0, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L'}

threat_severity

Moderate

Subscriptions

Libssh Libssh
Redhat Enterprise Linux Hummingbird Openshift
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-18T18:05:50.867Z

Reserved: 2026-01-14T21:54:31.925Z

Link: CVE-2026-0964

cve-icon Vulnrichment

Updated: 2026-03-26T20:30:14.755Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T21:17:00.393

Modified: 2026-03-30T13:26:50.827

Link: CVE-2026-0964

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-10T18:44:42Z

Links: CVE-2026-0964 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses