Description
Wish is an SSH server with defaults and a collection of middlewares. From version 2.0.0 to before version 2.0.1, the SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequences over the SCP protocol. This issue has been patched in version 2.0.1.
Published: 2026-05-07
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a path traversal flaw in the SCP middleware of Wish, an SSH server used by the charmbracelet project. From version 2.0.0 up to, but excluding, 2.0.1, attackers sending specially crafted SCP filenames containing "../" sequences can read, write, or create files outside the configured root directory. This flaw allows arbitrary file access and can enable the injection of malicious code, effectively providing remote code execution capabilities.

Affected Systems

Affected systems are servers running the Wish SSH server, specifically charmbracelet Wish versions 2.0.0, 2.0.0.x, and any builds prior to 2.0.1. The issue resides in the SCP middleware and does not affect other components of Wish such as the HTTP or TTY interfaces. Adopting the patched 2.0.1 release or newer versions resolves the problem.

Risk and Exploitability

The CVSS score of 9.6 places this bug in the Critical range, and although the EPSS score is not available, the lack of a KEV listing does not diminish the threat because the vulnerability is trivially exploitable over the network. An attacker only needs the ability to connect to the Wish SSH service and issue SCP commands with crafted filenames; no additional privileges or credentials are required. The high severity, network-level access, and potential for code execution make immediate patching essential.

Generated by OpenCVE AI on May 7, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wish to v2.0.1 or later.
  • If an upgrade cannot be performed immediately, disable or remove the SCP middleware or block SCP traffic.
  • Configure the SSH server to run in a restricted environment, such as a chroot, to limit file system access.

Generated by OpenCVE AI on May 7, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xjvp-7243-rg9h Wish has SCP Path Traversal that allows arbitrary file read/write
History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Charmbracelet
Charmbracelet wish
Vendors & Products Charmbracelet
Charmbracelet wish

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Wish is an SSH server with defaults and a collection of middlewares. From version 2.0.0 to before version 2.0.1, the SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequences over the SCP protocol. This issue has been patched in version 2.0.1.
Title Wish has SCP Path Traversal that allows arbitrary file read/write
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Charmbracelet Wish
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T14:41:57.990Z

Reserved: 2026-04-21T14:15:21.960Z

Link: CVE-2026-41589

cve-icon Vulnrichment

Updated: 2026-05-07T14:41:49.769Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T14:16:02.853

Modified: 2026-05-07T16:16:19.833

Link: CVE-2026-41589

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:24:43Z

Weaknesses