Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.

This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2.

The SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root.

This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal / Root Escape via SFTP
Action: Apply Patch
AI Analysis

Impact

Key detail from vendor description: 'The SFTP server uses string prefix matching via lists:prefix/2 ...' because of this design an authenticated user can construct file names that share a common prefix with the configured root path, causing paths such as /home/user10 or /home/user1_backup to be incorrectly considered inside the root when the root is /home/user1. The resulting path traversal allows the attacker to read, write, or delete files outside the intended directory, thereby compromising confidentiality, integrity, and possibly availability of the filesystem.

Affected Systems

The vulnerability affects Erlang/OTP releases from OTP 17.0 through OTP 28.4.1, and specific builds 27.3.4.9 and 26.2.5.18. Corresponding ssh module versions that contain the flaw range from ssh 3.0.1 through 5.5.1, 5.2.11.6, and 5.1.4.14. Systems running these OTP or ssh releases with an exposed SFTP service for authenticated users are vulnerable.

Risk and Exploitability

Based on the description, it is inferred that the attacker must first authenticate to the SFTP service. The weakness permits traversal to sibling directories that share a name prefix, effectively escaping the configured root. The CVSS score is 5.3 (medium), the EPSS score is <1%, and the vulnerability is not listed in the CISA KEV catalog, indicating a low but tangible risk. While the exploitation does not require additional privileges beyond SFTP authentication, the potential for unauthorized file access makes this a significant concern for multi‑tenant or shared environments. The likely attack vector is a local SFTP connection from a trusted or compromised client that supplies malicious path names.

Generated by OpenCVE AI on March 19, 2026 at 15:25 UTC.

Remediation

Vendor Workaround

* Use OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment. * Ensure that no sensitive or precious data is readable or writable by the OS user running the Erlang VM. * Ensure that the SFTP server port is not reachable from untrusted machines. * Use directory naming conventions that avoid common prefixes (e.g., /home/users/alice/ instead of /home/user1/).

OpenCVE Recommended Actions

  • Upgrade Erlang/OTP to a version beyond the vulnerable releases (e.g., OTP 28.4.2 or newer).
  • Run the Erlang VM/SFTP server inside an OS-level chroot to isolate the filesystem.
  • Operate the Erlang VM under a dedicated OS user that cannot read or write sensitive data.
  • Restrict the SFTP service port to trusted networks so untrusted inbound connections cannot reach it.
  • Adopt directory naming conventions that avoid common prefixes (e.g., use /home/users/alice/ instead of /home/user1/).

Generated by OpenCVE AI on March 19, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Erlang erlang/otp
Erlang otp
Vendors & Products Erlang erlang/otp
Erlang otp

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2. The SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
Title SFTP root escape via component-agnostic prefix check in ssh_sftpd
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-22
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Erlang Erlang/otp Erlang\/otp Otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-03-13T16:07:54.430Z

Reserved: 2026-01-19T14:23:14.343Z

Link: CVE-2026-23942

cve-icon Vulnrichment

Updated: 2026-03-13T16:02:34.677Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:15.520

Modified: 2026-03-16T14:54:11.293

Link: CVE-2026-23942

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:35Z

Weaknesses