Skip to main content

Wish SSH Server CVE-2026-41589

| EUVDEUVD-2026-28370 CRITICAL
Path Traversal (CWE-22)
2026-05-07 GitHub_M GHSA-xjvp-7243-rg9h
9.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 14:31 vuln.today
Analysis Generated
May 07, 2026 - 14:31 vuln.today
CVE Published
May 07, 2026 - 13:17 nvd
CRITICAL 9.6

DescriptionGitHub Advisory

Wish is an SSH server with defaults and a collection of middlewares. From version 2.0.0 to before version 2.0.1, the SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequences over the SCP protocol. This issue has been patched in version 2.0.1.

AnalysisAI

Path traversal in Wish SSH server's SCP middleware allows authenticated attackers to read arbitrary files, write arbitrary files, and create directories outside the configured root via crafted filenames containing ../ sequences. Affects charm.land/wish/v2 versions 2.0.0 through 2.0.1 and all github.com/charmbracelet/wish v1.x versions. Vendor-released patch v2.0.1 available for v2 branch; no fix confirmed for v1 branch. CVSS 9.6 with scope change indicates potential container/host escape scenarios. No evidence of active exploitation or public POC at time of analysis.

Technical ContextAI

Wish is an SSH server library with middleware components for Go applications. The vulnerability exists in the SCP (Secure Copy Protocol) middleware's path validation logic. The fileSystemHandler.prefixed() method uses filepath.Clean() and filepath.Join() to confine operations to a root directory, but fails to validate that the resolved path remains within bounds after cleaning. When filepath.Clean() processes ../ sequences, it resolves them to parent directories without rejecting paths that escape the root. The affected code parses SCP protocol wire format using regular expressions that accept arbitrary filenames without sanitization, then passes these directly to filesystem operations. This is a classic CWE-22 path traversal vulnerability caused by improper neutralization of special elements in pathnames. The SCP protocol itself has no built-in path validation, making server-side enforcement critical.

RemediationAI

Primary remediation: upgrade charm.land/wish/v2 to version 2.0.1 or later, released 2025 and available at https://github.com/charmbracelet/wish/releases/tag/v2.0.1. The patch adds proper path validation to prevent traversal attacks in the fileSystemHandler.prefixed() method and includes regression tests. For organizations using github.com/charmbracelet/wish v1.x branch: no vendor-released patch version is confirmed at time of analysis; evaluate migration to v2.0.1 or implement compensating controls. Workarounds for environments unable to patch immediately: (1) Disable SCP middleware if not operationally required - this eliminates the attack surface entirely; (2) Run the SSH server process with minimal filesystem permissions using chroot jails, containers with read-only root filesystems, or mandatory access controls (SELinux/AppArmor) to limit traversal impact; (3) Implement network-level access controls restricting SSH access to trusted users only, though this does not eliminate risk from compromised credentials. Note that disabling SCP functionality may break workflows dependent on scp file transfers; evaluate organizational impact before deployment. Monitor application logs for suspicious SCP filenames containing ../ sequences as a detection mechanism.

Share

CVE-2026-41589 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy