CVE-2026-23942
Received Received - Intake
Path Traversal in Erlang OTP ssh_sftpd Allows Unauthorized Access

Publication date: 2026-03-13

Last updated on: 2026-04-06

Assigner: EEF

Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2. The SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-04-06
Generated
2026-05-07
AI Q&A
2026-03-13
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23942
EUVD
EUVD-2026-11778
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
erlang otp From 3.0.1 (inc) to 5.5.1 (inc)
erlang otp 5.2.11.6
erlang otp 5.1.4.14
erlang otp From 17.0 (inc) to 28.4.1 (inc)
erlang otp 27.3.4.9
erlang otp 26.2.5.18
erlang ssh From 3.0.1 (inc) to 5.5.1 (inc)
erlang ssh 5.2.11.6
erlang ssh 5.1.4.14
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Path Traversal issue in the Erlang OTP ssh_sftpd module. It occurs because the SFTP server uses string prefix matching instead of proper path component validation to check if a path is within the configured root directory.

As a result, authenticated users can access sibling directories that share a common name prefix with the root directory. For example, if the root is set to /home/user1, paths like /home/user10 or /home/user1_backup are incorrectly considered within the root, allowing unauthorized access.


How can this vulnerability impact me? :

This vulnerability allows authenticated users to access files and directories outside the intended restricted root directory by exploiting improper path validation.

This can lead to unauthorized access to sensitive data stored in sibling directories that should be inaccessible, potentially exposing confidential information or enabling further attacks.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart