Skip to main content

Otp CVE-2026-32147

| EUVDEUVD-2026-24085 MEDIUM
Path Traversal (CWE-22)
2026-04-21 EEF
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Generated
Apr 21, 2026 - 12:32 vuln.today
CVSS changed
Apr 21, 2026 - 12:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 21, 2026 - 12:15 euvd
EUVD-2026-24085
Analysis Generated
Apr 21, 2026 - 12:15 vuln.today
Patch released
Apr 21, 2026 - 12:15 nvd
Patch available
CVE Published
Apr 21, 2026 - 12:01 nvd
MEDIUM 5.3

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory.

The SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.

Any authenticated SFTP user on a server configured with the root option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector.

If the SSH daemon runs as root, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable.

This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4.

This issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15.

AnalysisAI

Erlang OTP SSH daemon (ssh_sftpd) stores unresolved user-supplied paths in file handles, allowing authenticated SFTP users to modify file attributes (permissions, ownership, timestamps) outside the configured chroot directory via SSH_FXP_FSETSTAT requests. When the SSH daemon runs as root, this enables privilege escalation through setting setuid bits or changing ownership of system files. The vulnerability affects OTP versions 17.0 through 28.4.3 (and earlier point releases in 27.x and 26.x series); patched versions are available per vendor advisory.

Technical ContextAI

The Erlang OTP ssh_sftpd module implements an SFTP server (RFC 4253/4254) that supports root directory confinement via the root option for privilege separation. The vulnerability exists in the path handling logic of ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4 routines (lib/ssh/src/ssh_sftpd.erl). When an SFTP file open request (SSH_FXP_OPEN) is processed, the server creates a file handle but stores the raw user-supplied path string rather than the chroot-resolved absolute path. When subsequent SSH_FXP_FSETSTAT operations are issued against that handle, the module performs stat operations on the stored raw path, which is then resolved outside the chroot jail context. This is a classic path traversal (CWE-22) issue: the chroot boundary is enforced at initial path validation but the stored handle contains the original path, allowing the boundary check to be circumvented on subsequent operations.

RemediationAI

Upgrade Erlang OTP to patched versions: OTP 28.4.3 or later (ssh 5.5.3+), OTP 27.3.4.11 or later (ssh 5.2.11.7+), or OTP 26.2.5.20 or later (ssh 5.1.4.15+). The upstream fix is committed to the OTP repository at https://github.com/erlang/otp/commit/28c5d5a6c5f873dc701b597276271763e7d1c004 and resolves the path-storage issue in the ssh_sftpd module. As a compensating control pending patching, restrict SFTP access to the SSH daemon by using firewall rules or SSH configuration to limit which users have SFTP privileges, and audit file attribute changes on the real filesystem outside chroot boundaries using OS-level file integrity monitoring (e.g., auditd on Linux). Run the SSH daemon with the lowest necessary privilege (not as root if possible), using a dedicated service account; this limits the escalation impact but does not prevent the path traversal itself. Note that disabling the root option in ssh_sftpd configuration would prevent this attack but may break intended chroot functionality, so this is not recommended as a primary workaround. Detailed remediation guidance is available in the EEF security advisory at https://github.com/erlang/otp/security/advisories/GHSA-28jg-mw9x-hpm5.

More in Otp

View all
CVE-2022-24584 MEDIUM POC
6.5 May 11

Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation

CVE-2026-49759 HIGH
8.8 Jun 10

Denial of service in Erlang/OTP erts (inet_drv SCTP handler) lets unauthenticated remote attackers crash the BEAM VM by

CVE-2026-55950 HIGH
8.7 Jul 02

Remote denial of service in Erlang/OTP's ssl application (dtls_packet_demux module) lets an unauthenticated attacker cra

CVE-2026-28808 HIGH
8.3 Apr 07

Authorization bypass in Erlang OTP's inets HTTP server allows unanauthenticated remote attackers to execute CGI scripts

CVE-2026-55952 HIGH
8.2 Jul 02

Denial of service in the Erlang/OTP ssl application (OTP 22.2 through 29.0.3, and the 28.5.x/27.3.x maintenance branches

CVE-2026-32144 HIGH
7.6 Apr 07

Erlang OTP public_key module (versions 1.16 through 1.20.3 and 1.17.1.2) fails to cryptographically verify OCSP responde

CVE-2026-48860 HIGH
7.5 Jun 10

Authentication bypass in Erlang/OTP's TLS distribution module (inet_tls_dist) lets any attacker holding a TLS certificat

CVE-2026-48856 HIGH
7.1 Jun 10

Credential leakage in Erlang/OTP's inets httpc client (versions 17.0 through 29.0.2, 28.5.0.2, and 27.3.4.13) allows att

CVE-2026-49760 MEDIUM
6.9 Jun 10

Stack-based buffer overflow in Erlang OTP's erl_interface C library (`ei_s_print_term`) crashes processes when decoding

CVE-2026-54887 MEDIUM
6.3 Jul 02

The DTLS server in Erlang/OTP ssl initializes its cookie secret to a hardcoded empty binary on startup, making HMAC-base

CVE-2026-48859 MEDIUM
6.3 Jun 10

Username enumeration via timing side-channel in Erlang/OTP SSH daemon (OTP 29.0-29.0.1) allows unauthenticated remote at

CVE-2026-54891 MEDIUM
6.3 Jul 02

Blind plaintext injection into Erlang/OTP TLS clients allows a network-positioned attacker to insert unauthenticated APP

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-32147 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy