Skip to main content

Otp EUVDEUVD-2026-11778

| CVE-2026-23942 MEDIUM
Path Traversal (CWE-22)
2026-03-13 EEF
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 06, 2026 - 17:17 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 09:29 euvd
EUVD-2026-11778
Analysis Generated
Mar 13, 2026 - 09:29 vuln.today
CVE Published
Mar 13, 2026 - 09:11 nvd
MEDIUM 5.3

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.

This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2.

The SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root.

This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.

AnalysisAI

The Erlang OTP ssh_sftpd module contains a path traversal vulnerability in the is_within_root/2 function that uses string prefix matching instead of proper path component validation to verify if accessed paths are within the configured root directory. An authenticated SFTP user can exploit this to access sibling directories sharing a common name prefix with the root directory (for example, if root is /home/user1, accessing /home/user10 or /home/user1_backup would succeed when it should fail). This vulnerability affects OTP versions 17.0 through 28.4.1 with corresponding SSH versions 3.0.1 through 5.5.1, with no confirmed active exploitation in the wild (KEV status not indicated as actively exploited) but with a moderate CVSS score of 5.3 reflecting the requirement for prior authentication.

Technical ContextAI

The vulnerability exists in the SFTP server implementation within Erlang OTP, specifically in the ssh_sftpd module file lib/ssh/src/ssh_sftpd.erl. The ssh_sftpd:is_within_root/2 function is responsible for enforcing directory access controls by validating that user-requested file paths remain within an administrator-configured root directory. However, the implementation uses the Erlang lists:prefix/2 function to perform simple string-level prefix matching rather than canonical path parsing and component-level validation. This represents a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) vulnerability where path canonicalization and traversal-resistant validation is missing. The affected technology is the Secure File Transfer Protocol (SFTP) server component built into Erlang's SSH application, which is widely used in distributed Erlang systems and cloud infrastructure.

RemediationAI

Immediately upgrade Erlang OTP to version 28.4.2 or later, OTP 27.3.4.10 or later (if remaining on the 27.x branch), or OTP 26.2.5.19 or later (if remaining on the 26.x branch); corresponding SSH application versions 5.5.2 or later are required. As an interim workaround pending patching, restrict SFTP server access to trusted networks only via firewall rules, disable SFTP functionality if not actively required, and audit configured root directories to ensure they do not share common prefixes with sensitive sibling paths (for example, avoid setting root to /home/user1 if /home/user10 contains sensitive data). Organizations should consult the official Erlang OTP security advisory for patch distribution channels and validation procedures.

More in Otp

View all
CVE-2022-24584 MEDIUM POC
6.5 May 11

Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation

CVE-2026-49759 HIGH
8.8 Jun 10

Denial of service in Erlang/OTP erts (inet_drv SCTP handler) lets unauthenticated remote attackers crash the BEAM VM by

CVE-2026-55950 HIGH
8.7 Jul 02

Remote denial of service in Erlang/OTP's ssl application (dtls_packet_demux module) lets an unauthenticated attacker cra

CVE-2026-28808 HIGH
8.3 Apr 07

Authorization bypass in Erlang OTP's inets HTTP server allows unanauthenticated remote attackers to execute CGI scripts

CVE-2026-55952 HIGH
8.2 Jul 02

Denial of service in the Erlang/OTP ssl application (OTP 22.2 through 29.0.3, and the 28.5.x/27.3.x maintenance branches

CVE-2026-32144 HIGH
7.6 Apr 07

Erlang OTP public_key module (versions 1.16 through 1.20.3 and 1.17.1.2) fails to cryptographically verify OCSP responde

CVE-2026-48860 HIGH
7.5 Jun 10

Authentication bypass in Erlang/OTP's TLS distribution module (inet_tls_dist) lets any attacker holding a TLS certificat

CVE-2026-48856 HIGH
7.1 Jun 10

Credential leakage in Erlang/OTP's inets httpc client (versions 17.0 through 29.0.2, 28.5.0.2, and 27.3.4.13) allows att

CVE-2026-49760 MEDIUM
6.9 Jun 10

Stack-based buffer overflow in Erlang OTP's erl_interface C library (`ei_s_print_term`) crashes processes when decoding

CVE-2026-54887 MEDIUM
6.3 Jul 02

The DTLS server in Erlang/OTP ssl initializes its cookie secret to a hardcoded empty binary on startup, making HMAC-base

CVE-2026-48859 MEDIUM
6.3 Jun 10

Username enumeration via timing side-channel in Erlang/OTP SSH daemon (OTP 29.0-29.0.1) allows unauthenticated remote at

CVE-2026-54891 MEDIUM
6.3 Jul 02

Blind plaintext injection into Erlang/OTP TLS clients allows a network-positioned attacker to insert unauthenticated APP

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

EUVD-2026-11778 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy