{"containers":{"cna":{"affected":[{"cpes":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","modules":["ssh_sftpd"],"packageName":"ssh","packageURL":"pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp&vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git","product":"OTP","programFiles":["src/ssh_sftpd.erl"],"programRoutines":[{"name":"ssh_sftpd:do_open/4"},{"name":"ssh_sftpd:handle_op/4"}],"repo":"https://github.com/erlang/otp","vendor":"Erlang","versions":[{"changes":[{"at":"5.5.3","status":"unaffected"},{"at":"5.2.11.7","status":"unaffected"},{"at":"5.1.4.15","status":"unaffected"}],"lessThan":"*","status":"affected","version":"3.01","versionType":"otp"}]},{"collectionURL":"https://github.com","cpes":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","modules":["ssh_sftpd"],"packageName":"erlang/otp","packageURL":"pkg:github/erlang/otp","product":"OTP","programFiles":["lib/ssh/src/ssh_sftpd.erl"],"programRoutines":[{"name":"ssh_sftpd:do_open/4"},{"name":"ssh_sftpd:handle_op/4"}],"repo":"https://github.com/erlang/otp","vendor":"Erlang","versions":[{"changes":[{"at":"28.4.3","status":"unaffected"},{"at":"27.3.4.11","status":"unaffected"},{"at":"26.2.5.20","status":"unaffected"}],"lessThan":"*","status":"affected","version":"17.0","versionType":"otp"},{"changes":[{"at":"28c5d5a6c5f873dc701b597276271763e7d1c004","status":"unaffected"}],"lessThan":"*","status":"affected","version":"07b8f441ca711f9812fad9e9115bab3c3aa92f79","versionType":"git"}]}],"configurations":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The SFTP subsystem must be configured with the <tt>root</tt> option in <tt>ssh_sftpd:subsystem_spec/1</tt>. The <tt>root</tt> option is not set by default."}],"value":"The SFTP subsystem must be configured with the root option in ssh_sftpd:subsystem_spec/1. The root option is not set by default."}],"credits":[{"lang":"en","type":"finder","value":"John Downey"},{"lang":"en","type":"remediation developer","value":"Michał Wąsowski"},{"lang":"en","type":"remediation reviewer","value":"Jakub Witczak"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP <tt>ssh</tt> (<tt>ssh_sftpd</tt> module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory.<p>The SFTP daemon (<tt>ssh_sftpd</tt>) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When <tt>SSH_FXP_FSETSTAT</tt> is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.</p><p>Any authenticated SFTP user on a server configured with the <tt>root</tt> option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector.</p><p>If the SSH daemon runs as <tt>root</tt>, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable.</p><p>This vulnerability is associated with program files <tt>lib/ssh/src/ssh_sftpd.erl</tt> and program routines <tt>ssh_sftpd:do_open/4</tt> and <tt>ssh_sftpd:handle_op/4</tt>.</p><p>This issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to <tt>ssh</tt> from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15.</p>"}],"value":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory.\n\nThe SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.\n\nAny authenticated SFTP user on a server configured with the root option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector.\n\nIf the SSH daemon runs as root, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15."}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":5.3,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"LOW","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-21T12:01:20.350Z","orgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","shortName":"EEF"},"references":[{"tags":["vendor-advisory","related"],"url":"https://github.com/erlang/otp/security/advisories/GHSA-28jg-mw9x-hpm5"},{"tags":["related"],"url":"https://cna.erlef.org/cves/CVE-2026-32147.html"},{"tags":["related"],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-32147"},{"tags":["x_version-scheme"],"url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"},{"tags":["patch"],"url":"https://github.com/erlang/otp/commit/28c5d5a6c5f873dc701b597276271763e7d1c004"}],"source":{"discovery":"EXTERNAL"},"title":"SFTP chroot bypass via path traversal in SSH_FXP_FSETSTAT","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<ul><li>Do not use the <tt>root</tt> option in <tt>ssh_sftpd:subsystem_spec/1</tt>, and instead rely on OS-level chroot or container isolation to confine SFTP users.</li><li>Ensure the Erlang VM is not running as a privileged OS user. Running the VM as an unprivileged user limits the impact of this vulnerability, since attribute modifications are constrained by that user's OS-level permissions.</li></ul>"}],"value":"* Do not use the root option in ssh_sftpd:subsystem_spec/1, and instead rely on OS-level chroot or container isolation to confine SFTP users.\n* Ensure the Erlang VM is not running as a privileged OS user. Running the VM as an unprivileged user limits the impact of this vulnerability, since attribute modifications are constrained by that user's OS-level permissions."}],"x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","assignerShortName":"EEF","cveId":"CVE-2026-32147","datePublished":"2026-04-21T12:01:20.350Z","dateReserved":"2026-03-10T22:37:29.213Z","dateUpdated":"2026-04-21T12:01:20.350Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"}