Skip to main content

Apache MINA SSHD CVE-2026-48827

| EUVDEUVD-2026-33606 HIGH
Path Traversal (CWE-22)
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
SUSE
HIGH
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 01, 2026 - 09:22 vuln.today
CVSS changed
Jun 01, 2026 - 09:22 NVD
7.1 (HIGH)
CVE Published
May 30, 2026 - 12:45 nvd
UNKNOWN (no severity yet)
CVE Published
May 30, 2026 - 12:45 nvd
HIGH 7.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 maven packages depend on org.apache.sshd:sshd-git (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.0.0-M1.

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Path traversal in the org.apache.sshd:sshd-git component of Apache MINA SSHD allows authenticated remote attackers to read files outside the intended Git repository directory by supplying crafted path references over SSH. The flaw was disclosed pre-NVD on the oss-security mailing list on 2026-05-30 by Apache maintainer Thomas Wolf, with no public exploit identified at time of analysis and no CISA KEV listing.

Technical ContextAI

Apache MINA SSHD is a Java library implementing the SSH protocol on top of the Apache MINA networking framework, widely embedded in build tools, IDEs, and CI/CD services to host Git-over-SSH or to provide programmable SSH endpoints. The vulnerable artifact is specifically org.apache.sshd:sshd-git, the sub-module that bridges SSH sessions to Git repositories by handling git-upload-pack and git-receive-pack invocations. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) describes the root cause: user-supplied path components are not properly canonicalized or constrained against a configured repository root, so dot-dot segments or absolute paths can escape the intended directory boundary. The CPE for the precise affected versions has not yet been published on NVD because this is a pre-NVD disclosure.

RemediationAI

No vendor-released patch version was identified in the provided data; defenders should monitor the Apache MINA project release notes and the linked Apache mailing list thread (https://lists.apache.org/thread/910kq9ghm6js0k1yhhbrdm9sf5tqq9c9) and upgrade org.apache.sshd:sshd-git to the fixed release as soon as it is published. Until a patched version is consumed, mitigate by disabling the sshd-git command factory or routing Git-over-SSH through a separate hardened service such as Gitea or GitLab Shell (trade-off: removes the embedded Git server feature), restricting which authenticated principals can open SSH sessions to the MINA endpoint via key allowlists or PAM, and placing the MINA SSHD listener behind a bastion or VPN to prevent direct internet exposure (trade-off: blocks legitimate external developer workflows). File-system level hardening - running the SSHD process as a dedicated low-privileged user with a chroot or container mount that exposes only the intended repository tree - limits the value of any path traversal even if the bug is triggered.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-48827 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy