CVE-2026-32147
Path Traversal in Erlang OTP ssh_sftpd Enables Privilege Escalation
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| erlang | otp | to 28.4.3 (inc) |
| erlang | otp | 27.3.4.11 |
| erlang | otp | 26.2.5.20 |
| erlang | ssh | to 5.5.3 (inc) |
| erlang | ssh | 5.2.11.7 |
| erlang | ssh | 5.1.4.15 |
| erlang | ssh | to 5.2.11.7 (inc) |
| erlang | ssh | to 5.1.4.15 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32147 is a path traversal vulnerability in the Erlang OTP ssh_sftpd module, specifically affecting the SFTP daemon. The issue occurs because ssh_sftpd stores raw, user-supplied paths in file handles instead of paths resolved within the chroot directory. This flaw allows an authenticated SFTP user to modify file attributes such as permissions, ownership, and timestamps on files outside the configured chroot directory by issuing the SSH_FXP_FSETSTAT command on these handles.
The vulnerability requires the SFTP subsystem to be configured with the "root" option, which is not enabled by default. It only allows modification of file attributes, not the contents of files. If the SSH daemon runs as root, this can lead to privilege escalation by enabling attackers to set the setuid bit on binaries, change ownership of sensitive files, or make system configurations world-writable.
The vulnerability affects Erlang OTP versions from 17.0 up to 28.4.3 and corresponding ssh versions. Mitigation involves avoiding the use of the "root" option in ssh_sftpd and relying on OS-level chroot or container isolation, as well as running the Erlang VM as an unprivileged user.
How can this vulnerability impact me? :
This vulnerability allows any authenticated SFTP user on a server configured with the "root" option to modify file attributes outside the intended chroot boundary. Specifically, an attacker can change permissions, ownership, and timestamps of files on the real filesystem if those files exist at the same relative path.
If the SSH daemon runs with root privileges, this can lead to direct privilege escalation. An attacker could set the setuid bit on binaries, change ownership of sensitive files, or make system configuration files world-writable, potentially compromising the entire system.
However, the vulnerability does not allow reading or modifying file contents, only attribute changes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the ssh_sftpd module storing raw user-supplied paths instead of chroot-resolved paths, allowing modification of file attributes outside the chroot directory by authenticated SFTP users. Detection involves monitoring for unusual SSH_FXP_FSETSTAT requests that modify file attributes outside the expected chroot boundaries.
Since the vulnerability requires the SFTP subsystem to be configured with the "root" option and authenticated access, detection can focus on auditing SFTP server configurations and logs for such usage.
Suggested commands include checking the ssh_sftpd configuration for the "root" option in subsystem_spec, and monitoring SFTP server logs for SSH_FXP_FSETSTAT operations targeting paths outside the chroot.
- Check ssh_sftpd configuration for use of the "root" option in subsystem_spec.
- Audit SFTP logs for SSH_FXP_FSETSTAT commands modifying file attributes.
- Use file integrity monitoring tools to detect unexpected changes in file attributes outside chroot directories.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the "root" option in ssh_sftpd:subsystem_spec/1, which is the prerequisite for this vulnerability to be exploitable.
Instead, rely on OS-level chroot or container isolation mechanisms to confine SFTP users securely.
Running the Erlang VM as an unprivileged OS user limits the impact, as attribute modifications will be restricted by OS-level permissions.
Apply available patches that fix the vulnerability by enforcing absolute path usage internally in ssh_sftpd, as released in OTP versions 28.4.3, 27.3.4.11, and 26.2.5.20.
- Remove or disable the "root" option in ssh_sftpd:subsystem_spec/1 configuration.
- Use OS-level chroot or container isolation for SFTP confinement.
- Run the Erlang VM as an unprivileged user.
- Update Erlang OTP to patched versions that fix this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated SFTP user to modify file attributes outside the configured chroot directory, potentially leading to unauthorized changes in file permissions, ownership, and timestamps.
If the SSH daemon runs as root, this can lead to privilege escalation, enabling attackers to set the setuid bit on binaries, change ownership of sensitive files, or make system configurations world-writable.
Such unauthorized modifications could undermine the integrity and security of sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and protection of data integrity.
Mitigations include avoiding the use of the "root" option in ssh_sftpd and relying on OS-level chroot or container isolation, as well as running the Erlang VM as an unprivileged OS user to limit the impact.