Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery.

The SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /.

The information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.

This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.

This issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.
Published: 2026-06-10
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Erlang OTP's ssh_sftpd module allows an authenticated SFTP client to create a symbolic link pointing to the root of the underlying filesystem. When the client queries the link with SSH_FXP_READLINK, the server returns the absolute backend path instead of the chrooted value, revealing the SFTP root directory and any symlink targets. This flaw is an instance of CWE‑200 Information Exposure, exposing sensitive filesystem structure without providing access to file contents or credentials. The attacker can only glean absolute paths, which could aid in further reconnaissance, but cannot directly read or modify files.

Affected Systems

Erlang OTP 17.0 up to but excluding 29.0.2, 28.5.0.2, and 27.3.4.13, as well as the associated ssh libraries 3.0.1 up to but excluding 6.0.1, 5.5.2.1, and 5.2.11.8, are vulnerable when configurable chroot roots are used and the SFTP service is exposed.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity. Exploitation requires an authenticated SFTP client and relies on the server’s configured chroot root directory. Neither EPSS data nor CISA KEV listing suggests active exploitation in the wild. Attackers gain only file path information, which may aid in reconnaissance but does not directly compromise files or elevate privileges.

Generated by OpenCVE AI on June 10, 2026 at 17:51 UTC.

Remediation

Vendor Workaround

* Use OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level root option. * Ensure that the SFTP server port is not reachable from untrusted machines. * Ensure that no sensitive information (usernames, project names, mount topology) is inferrable from the absolute path of the configured root directory.

OpenCVE Recommended Actions

  • Upgrade Erlang OTP to version 29.0.2 or later, 28.5.0.2 or later, or 27.3.4.14 or later, which includes the fix.
  • Run the Erlang VM/SFTP server inside an OS-level chroot to isolate it from the actual filesystem.
  • Ensure the SFTP service is accessible only from trusted networks and avoid exposing sensitive path information to clients.

Generated by OpenCVE AI on June 10, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Erlang erlang/otp
Erlang otp
Vendors & Products Erlang erlang/otp
Erlang otp

Wed, 10 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery. The SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /. The information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.
Title SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-200
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Erlang Erlang/otp Erlang\/otp Otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-10T16:22:24.746Z

Reserved: 2026-05-25T20:44:10.697Z

Link: CVE-2026-48855

cve-icon Vulnrichment

Updated: 2026-06-10T16:22:20.955Z

cve-icon NVD

Status : Received

Published: 2026-06-10T16:17:09.680

Modified: 2026-06-10T16:17:09.680

Link: CVE-2026-48855

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T18:30:36Z

Weaknesses