EUVD-2026-36056Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery.
The SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /.
The information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.
This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.
This issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.
AnalysisAI
Path disclosure in Erlang OTP's ssh_sftpd module exposes the absolute backend filesystem path of the SFTP chroot root to authenticated clients. By creating a symlink inside the chroot pointing to '/' and issuing SSH_FXP_READLINK, an authenticated SFTP client receives the raw absolute path (e.g., '/data/sftp') that the server uses as the chroot backend, rather than the sanitized chroot-relative value '/'. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) a valid SFTP user account with at least low-privilege access to the server (PR:L - unauthenticated exploitation is not possible per the CVSS vector); (2) the SFTP server must be explicitly configured with a chroot root directory (the AT:P 'attack requirements present' modifier - servers running ssh_sftpd without a configured root option are not affected because no backend prefix exists to leak); and (3) the authenticated client must have permission to create symlinks within the chroot. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 2.3 accurately reflects real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with valid SFTP credentials connects to an Erlang OTP SFTP server configured with a chroot root directory. The attacker uses the SFTP client to create a symlink at a path inside the chroot (e.g., '/link') pointing to '/'; ssh_sftpd resolves this to the absolute backend root and stores it on disk. … |
| Remediation | Upgrade Erlang OTP to one of the patched releases: 29.0.2 (ssh 6.0.1), 28.5.0.2 (ssh 5.5.2.1), or 27.3.4.13 (ssh 5.2.11.8). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today