CVE-2026-59995
Received Received - Intake

SFTP Path Traversal in OpenSSH

Vulnerability report for CVE-2026-59995, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: MITRE

Description

sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openssh openssh to 10.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

The vulnerability can allow a malicious sftp server to write files to locations on your system that you did not intend, potentially overwriting important files or placing malicious files in sensitive directories. This could lead to limited integrity and availability impacts on your system, such as unauthorized modification of files or denial of service.

Executive Summary

This vulnerability exists in the sftp component of OpenSSH versions before 10.4. When using the command "sftp server:/path ." with a server controlled by an attacker, the sftp client does not properly restrict where downloaded files are saved. This means that a malicious server could cause files to be written to unintended locations on the client system.

Detection Guidance

This vulnerability involves sftp in OpenSSH versions before 10.4 improperly constraining the location of downloaded files when using the command "sftp server:/path ." with an attacker-controlled server.

To detect if your system is vulnerable, first check the OpenSSH version installed on your system.

  • Run the command: ssh -V

If the version is earlier than 10.4, your system is potentially vulnerable.

There are no specific detection commands or network signatures provided in the available resources to identify exploitation attempts of this vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade OpenSSH to version 10.4 or later, as this release includes fixes for the vulnerability where malicious servers could write files to unintended locations.

Until the upgrade can be applied, avoid using the vulnerable sftp command pattern "sftp server:/path ." with untrusted or attacker-controlled servers.

Additionally, verify the integrity of your OpenSSH binaries using provided checksums and PGP signatures from the official release.

Compliance Impact

The provided information does not specify how the vulnerability in OpenSSH sftp before version 10.4 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59995. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart