Description
Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory.

The SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the is_within_root/2 check without being resolved. The un-canonicalized path then enters resolve_symlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths.

An authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (SSH_FXP_NAME when the path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points.

The vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities.

This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_op/4.

This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
Published: 2026-07-02
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an observable response discrepancy in the SSH_FXP_REALPATH handler of the Erlang OTP ssh_sftpd module. This weakness corresponds to CWE-204, a path traversal flaw. An authenticated SFTP client can send a REALPATH request containing a crafted traversal path. Because the handler fails to canonicalize the path, the server resolves the un‑canonicalized request and walks up the directory tree above the configured SFTP root, issuing read_link() syscalls on arbitrary filesystem locations. The server then returns SSH_FXP_NAME when the target exists or SSH_FX_NO_SUCH_FILE when it does not; this creates a path‑existence oracle that allows an attacker to determine whether arbitrary files or directories outside the configured root exist on the host. The only information disclosed is the existence of paths—file contents, credentials, or write permissions are not exposed, but the information gathered can aid subsequent attacks.

Affected Systems

Affected systems are Erlang/OTP implementations from version 17.0 up to OTP 29.0.3, OTP 28.5.0.3, and OTP 27.3.4.14. These correspond to the ssh module starting at ssh-3.0.1 and extending through ssh-6.0.2, ssh-5.5.2.2, and ssh-5.2.11.9, respectively. Any deployment of Erlang/OTP that includes the ssh_sftpd component within these version ranges is vulnerable.

Risk and Exploitability

The CVSS score of 2.3 indicates a low overall severity. The EPSS score is not available, suggesting a low probability of exploitation in the wild. The issue is not listed in CISA’s KEV catalog. Exploitation requires an authenticated SFTP session, so an attacker must already possess valid credentials. Once authenticated, the attacker can repeatedly send crafted REALPATH requests to enumerate the host’s filesystem structure outside the SFTP root. The vulnerability’s impact is confined to information disclosure, though the knowledge gained can assist other attacks when combined with additional weaknesses.

Generated by OpenCVE AI on July 3, 2026 at 13:06 UTC.

Remediation

Vendor Workaround

* Use OS-level chroot to run the Erlang VM or SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level root option. * Ensure the SFTP server port on the machine running the Erlang/OTP SFTP server is not reachable from untrusted machines. * Ensure that no sensitive information (usernames, project names, mount topology) is inferrable from the existence or non-existence of paths on the host filesystem.


OpenCVE Recommended Actions

  • Upgrade Erlang/OTP to a later release that includes the fix for the ssh_sftpd REALPATH path-existence oracle
  • Run the Erlang/OTP SFTP server inside an OS-level chroot or other isolated filesystem to prevent access to the host filesystem outside the intended root
  • Ensure the SFTP service port is confined to trusted hosts only, binding to localhost or applying firewall rules to block untrusted networks

Generated by OpenCVE AI on July 3, 2026 at 13:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Erlang erlang/otp
Erlang otp
Vendors & Products Erlang erlang/otp
Erlang otp

Thu, 02 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 16:45:00 +0000

Type Values Removed Values Added
Description Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory. The SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the is_within_root/2 check without being resolved. The un-canonicalized path then enters resolve_symlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths. An authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (SSH_FXP_NAME when the path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points. The vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_op/4. This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
Title SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured root
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-204
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Erlang Erlang/otp Erlang\/otp Otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-07-03T04:28:59.578Z

Reserved: 2026-06-09T11:01:47.529Z

Link: CVE-2026-53422

cve-icon Vulnrichment

Updated: 2026-07-02T17:29:28.071Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T13:15:12Z

Weaknesses
  • CWE-204

    Observable Response Discrepancy