CVE-2026-59997
Received Received - Intake

OpenSSH internal-sftp Command-Line Argument Handling Flaw

Vulnerability report for CVE-2026-59997, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: MITRE

Description

internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openssh openssh to 10.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the internal-sftp component of sshd in OpenSSH versions before 10.4. It only recognizes the first 9 command-line arguments, which can be problematic if additional arguments beyond the ninth are necessary to enforce the intended security properties of an SFTP connection.

Impact Analysis

Because internal-sftp only processes the first 9 command-line arguments, security measures or restrictions intended to be applied via later arguments might be ignored. This could lead to weaker security enforcement on SFTP connections, potentially allowing unauthorized access or actions that were meant to be prevented.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59997. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart