{"affected":[{"ranges":[{"events":[{"introduced":"07b8f441ca711f9812fad9e9115bab3c3aa92f79"},{"fixed":"28c5d5a6c5f873dc701b597276271763e7d1c004"}],"repo":"https://github.com/erlang/otp","type":"GIT"}]}],"aliases":["GHSA-28jg-mw9x-hpm5","CVE-2026-32147"],"credits":[{"name":"John Downey","type":"FINDER"},{"name":"Michał Wąsowski","type":"REMEDIATION_DEVELOPER"},{"name":"Jakub Witczak","type":"REMEDIATION_REVIEWER"}],"database_specific":{"capec_ids":[],"cpe_ids":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-22"]},"details":"## Summary\n\nImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory.\n\nThe SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.\n\nAny authenticated SFTP user on a server configured with the root option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector.\n\nIf the SSH daemon runs as root, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15.\n\n## Workaround\n\n* Do not use the root option in ssh_sftpd:subsystem_spec/1, and instead rely on OS-level chroot or container isolation to confine SFTP users.\n* Ensure the Erlang VM is not running as a privileged OS user. Running the VM as an unprivileged user limits the impact of this vulnerability, since attribute modifications are constrained by that user's OS-level permissions.\n\n## Configuration\n\nThe SFTP subsystem must be configured with the root option in ssh_sftpd:subsystem_spec/1. The root option is not set by default.","id":"EEF-CVE-2026-32147","modified":"2026-04-21T12:01:20.350Z","published":"2026-04-21T12:01:20.350Z","references":[{"type":"ADVISORY","url":"https://github.com/erlang/otp/security/advisories/GHSA-28jg-mw9x-hpm5"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-32147.html"},{"type":"WEB","url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"},{"type":"FIX","url":"https://github.com/erlang/otp/commit/28c5d5a6c5f873dc701b597276271763e7d1c004"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N","type":"CVSS_V4"}],"summary":"SFTP chroot bypass via path traversal in SSH_FXP_FSETSTAT","upstream":[]}