Description
Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH access to git repositories outside the configured git server root directory.




Applications are affected if they use org.apache.sshd:sshd-git. Applications not using sshd-git are not affected.




Users are advised to upgrade affected applications to Apche MINA SSHD 2.18.0, which fixes the issue.




The issue also is present in the pre-release milestones 3.0.0-M1 to 3.0.0-M3 for a new upcoming new major version 3.0.0. Again, applications are affected only if they use sshd-git. Upgrade affected applications to 3.0.0-M4.




We would like to point out that a professional git server should not rely solely on file system layout and permissions, but should implement additional security controls to govern access to git repositories and operations allowed on particular git repositories.
Published: 2026-06-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw in the Apache MINA SSHD sshd-git bundle allows a user authenticated over SSH to invoke git-upload-pack, git-receive-pack and related git operations without proper path validation. This flaw can be used to read or modify files outside the configured git server root directory, thereby compromising both confidentiality and integrity of data stored on the server. The weakness is classified as CWE‑22: Path Traversal.

Affected Systems

The vulnerability affects users of the Apache MINA SSHD project, specifically those employing the sshd‑git module. Any installation that includes sshd‑git prior to version 2.18.0 is impacted, as are pre‑release milestones 3.0.0‑M1 through 3.0.0‑M3. The issue does not apply to applications that have not integrated sshd‑git.

Risk and Exploitability

The recorded CVSS score of 7.1 indicates a high severity. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires only authenticated SSH access to the git server, which is normally granted to developers or system administrators. Once accessed, an attacker can traverse to arbitrary filesystem locations and read or write files, potentially leading to disclosure or tampering of critical data. The ease of exploitation and lack of additional safeguards make the risk substantial for environments that expose sshd‑git services.

Generated by OpenCVE AI on June 1, 2026 at 10:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Apache MINA SSHD installation to version 2.18.0 or later, or to 3.0.0‑M4 for the new major release, to remove the missing path validation.
  • Ensure that any git servers use utf‑8 file system permissions and directory isolation to prevent unintended access to system files.
  • Implement application‑level access controls that restrict which users may invoke git operations, limiting the potential damage from a traversal exploit.

Generated by OpenCVE AI on June 1, 2026 at 10:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 01 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:mina_sshd:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:mina_sshd:3.0.0:m1:*:*:*:*:*:*
cpe:2.3:a:apache:mina_sshd:3.0.0:m2:*:*:*:*:*:*
cpe:2.3:a:apache:mina_sshd:3.0.0:m3:*:*:*:*:*:*

Mon, 01 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
References

Mon, 01 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache mina Sshd
Vendors & Products Apache
Apache mina Sshd

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH access to git repositories outside the configured git server root directory. Applications are affected if they use org.apache.sshd:sshd-git. Applications not using sshd-git are not affected. Users are advised to upgrade affected applications to Apche MINA SSHD 2.18.0, which fixes the issue. The issue also is present in the pre-release milestones 3.0.0-M1 to 3.0.0-M3 for a new upcoming new major version 3.0.0. Again, applications are affected only if they use sshd-git. Upgrade affected applications to 3.0.0-M4. We would like to point out that a professional git server should not rely solely on file system layout and permissions, but should implement additional security controls to govern access to git repositories and operations allowed on particular git repositories.
Title Apache MINA SSHD: Path traversal in org.apache.sshd:sshd-git
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Apache Mina Sshd
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-01T12:44:56.455Z

Reserved: 2026-05-23T09:06:08.581Z

Link: CVE-2026-48827

cve-icon Vulnrichment

Updated: 2026-06-01T09:52:50.126Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T09:16:20.307

Modified: 2026-06-01T17:08:05.960

Link: CVE-2026-48827

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-01T08:37:41Z

Links: CVE-2026-48827 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T11:00:07Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')