CVE-2026-32147
Analyzed Analyzed - Analysis Complete
Path Traversal in Erlang OTP ssh_sftpd Enables Privilege Escalation

Publication date: 2026-04-21

Last updated on: 2026-05-21

Assigner: EEF

Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory. The SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely. Any authenticated SFTP user on a server configured with the root option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector. If the SSH daemon runs as root, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4. This issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-05-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32147
EUVD
EUVD-2026-24085
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
erlang erlang/otp From 17.0 (inc) to 26.2.5.20 (exc)
erlang erlang/otp From 27.0 (inc) to 27.3.4.11 (exc)
erlang erlang/otp From 28.0 (inc) to 28.4.3 (exc)
erlang erlang/ssh From 3.0.1 (inc) to 5.1.4.15 (exc)
erlang erlang/ssh From 5.2 (inc) to 5.2.11.7 (exc)
erlang erlang/ssh From 5.5 (inc) to 5.5.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32147 is a path traversal vulnerability in the Erlang OTP ssh_sftpd module, specifically affecting the SFTP daemon. The issue occurs because ssh_sftpd stores raw, user-supplied paths in file handles instead of paths resolved within the chroot directory. This flaw allows an authenticated SFTP user to modify file attributes such as permissions, ownership, and timestamps on files outside the configured chroot directory by issuing the SSH_FXP_FSETSTAT command on these handles.

The vulnerability requires the SFTP subsystem to be configured with the "root" option, which is not enabled by default. It only allows modification of file attributes, not the contents of files. If the SSH daemon runs as root, this can lead to privilege escalation by enabling attackers to set the setuid bit on binaries, change ownership of sensitive files, or make system configurations world-writable.

The vulnerability affects Erlang OTP versions from 17.0 up to 28.4.3 and corresponding ssh versions. Mitigation involves avoiding the use of the "root" option in ssh_sftpd and relying on OS-level chroot or container isolation, as well as running the Erlang VM as an unprivileged user.

Impact Analysis

This vulnerability allows any authenticated SFTP user on a server configured with the "root" option to modify file attributes outside the intended chroot boundary. Specifically, an attacker can change permissions, ownership, and timestamps of files on the real filesystem if those files exist at the same relative path.

If the SSH daemon runs with root privileges, this can lead to direct privilege escalation. An attacker could set the setuid bit on binaries, change ownership of sensitive files, or make system configuration files world-writable, potentially compromising the entire system.

However, the vulnerability does not allow reading or modifying file contents, only attribute changes.

Detection Guidance

This vulnerability involves the ssh_sftpd module storing raw user-supplied paths instead of chroot-resolved paths, allowing modification of file attributes outside the chroot directory by authenticated SFTP users. Detection involves monitoring for unusual SSH_FXP_FSETSTAT requests that modify file attributes outside the expected chroot boundaries.

Since the vulnerability requires the SFTP subsystem to be configured with the "root" option and authenticated access, detection can focus on auditing SFTP server configurations and logs for such usage.

Suggested commands include checking the ssh_sftpd configuration for the "root" option in subsystem_spec, and monitoring SFTP server logs for SSH_FXP_FSETSTAT operations targeting paths outside the chroot.

  • Check ssh_sftpd configuration for use of the "root" option in subsystem_spec.
  • Audit SFTP logs for SSH_FXP_FSETSTAT commands modifying file attributes.
  • Use file integrity monitoring tools to detect unexpected changes in file attributes outside chroot directories.
Mitigation Strategies

Immediate mitigation steps include avoiding the use of the "root" option in ssh_sftpd:subsystem_spec/1, which is the prerequisite for this vulnerability to be exploitable.

Instead, rely on OS-level chroot or container isolation mechanisms to confine SFTP users securely.

Running the Erlang VM as an unprivileged OS user limits the impact, as attribute modifications will be restricted by OS-level permissions.

Apply available patches that fix the vulnerability by enforcing absolute path usage internally in ssh_sftpd, as released in OTP versions 28.4.3, 27.3.4.11, and 26.2.5.20.

  • Remove or disable the "root" option in ssh_sftpd:subsystem_spec/1 configuration.
  • Use OS-level chroot or container isolation for SFTP confinement.
  • Run the Erlang VM as an unprivileged user.
  • Update Erlang OTP to patched versions that fix this vulnerability.
Compliance Impact

This vulnerability allows an authenticated SFTP user to modify file attributes outside the configured chroot directory, potentially leading to unauthorized changes in file permissions, ownership, and timestamps.

If the SSH daemon runs as root, this can lead to privilege escalation, enabling attackers to set the setuid bit on binaries, change ownership of sensitive files, or make system configurations world-writable.

Such unauthorized modifications could undermine the integrity and security of sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and protection of data integrity.

Mitigations include avoiding the use of the "root" option in ssh_sftpd and relying on OS-level chroot or container isolation, as well as running the Erlang VM as an unprivileged OS user to limit the impact.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32147. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart