CVE-2026-53422
Awaiting Analysis Awaiting Analysis - Queue

Path Traversal in Erlang OTP SSH SFTP Module

Vulnerability report for CVE-2026-53422, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: EEF

Description

Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory. The SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the is_within_root/2 check without being resolved. The un-canonicalized path then enters resolve_symlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths. An authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (SSH_FXP_NAME when the path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points. The vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_op/4. This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 10 associated CPEs
Vendor Product Version / Range
erlang otp to 28.5.0.3 (inc)
erlang otp to 27.3.4.14 (inc)
erlang ssh to 5.5.2.2 (inc)
erlang ssh to 5.2.11.9 (inc)
erlang otp From 17.0 (inc) to 29.0.3 (inc)
erlang ssh From 3.0.1 (inc) to 6.0.2 (inc)
erlang ssh 5.5.2.2
erlang ssh 5.2.11.9
erlang ssh From 5.5.2.2 (inc)
erlang ssh From 5.2.11.9 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an Observable Response Discrepancy issue in the Erlang OTP SSH SFTP server (ssh_sftpd module). It allows an authenticated SFTP user to determine whether files or directories exist outside the configured root directory by exploiting the SSH_FXP_REALPATH operation.

The problem arises because the SSH_FXP_REALPATH handler uses a non-canonicalized path, which bypasses the usual root directory checks. This lets the attacker send specially crafted path traversal requests that the server processes differently depending on whether the target path exists or not.

As a result, the server's differing responses create a path-existence oracle, enabling the attacker to enumerate the filesystem structure outside the intended root directory, including sensitive files and directories.

Importantly, this vulnerability only leaks information about the existence of paths; it does not allow access to file contents, credentials, or write permissions by itself.

Impact Analysis

This vulnerability can impact you by allowing an authenticated SFTP user to enumerate files and directories outside the configured root directory, revealing the presence of sensitive files, directories, and mount points.

While it does not provide direct access to file contents, credentials, or modification capabilities, the information gained can be used for further attacks by mapping the filesystem structure and identifying valuable targets.

This reconnaissance capability can aid attackers in planning more sophisticated exploits or lateral movement within the system.

Detection Guidance

This vulnerability can be detected by observing if an authenticated SFTP user can send a REALPATH request with crafted traversal paths and receive different responses based on the existence of files or directories outside the configured root directory.

Specifically, an attacker or tester can attempt to send SSH_FXP_REALPATH requests with path traversal sequences (e.g., /valid_dir/../../../etc/passwd) and check if the server responds with SSH_FXP_NAME when the path exists or SSH_FX_NO_SUCH_FILE when it does not.

To detect this on your system, you can use an SFTP client or scripting tool to send such crafted REALPATH requests and observe the server responses for discrepancies indicating path existence enumeration.

There are no explicit commands provided in the resources, but using an SFTP client with verbose logging or a custom script to send REALPATH requests with traversal paths and analyzing the responses would be the approach.

Mitigation Strategies

Immediate mitigation steps include applying the available patches that fix the vulnerability by adding root directory validation in the SSH_FXP_REALPATH handler to prevent path traversal outside the configured root.

If patching is not immediately possible, workarounds include using OS-level chroot to restrict the SFTP server's filesystem view, restricting access to the SFTP server to trusted users only, and avoiding sensitive information in path structures.

Upgrading Erlang/OTP to versions 29.0.3, 28.5.0.3, or 27.3.4.14 or later, where the fix has been applied, is recommended.

Compliance Impact

The vulnerability allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory, potentially revealing the presence of sensitive files and directory structures.

Although the vulnerability does not allow access to file contents, credentials, or write operations by itself, the information leakage about filesystem structure could assist further attacks that might compromise sensitive data.

From a compliance perspective, this information disclosure could pose risks under regulations like GDPR or HIPAA, which require protection of sensitive data and prevention of unauthorized information disclosure.

Organizations relying on Erlang OTP SSH SFTP servers affected by this vulnerability should consider the risk of indirect data exposure and take mitigation steps such as applying patches, using OS-level chroot, restricting SFTP access, and avoiding sensitive information in path structures to maintain compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53422. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart