Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory.
The SFTP daemon (sshsftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSHFXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.
Any authenticated SFTP user on a server configured with the root option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector.
If the SSH daemon runs as root, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable.
This vulnerability is associated with program files lib/ssh/src/sshsftpd.erl and program routines sshsftpd:doopen/4 and sshsftpd:handle_op/4.
This issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15.
{
"cwe_ids": [
"CWE-22"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32147.json",
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "3.01"
},
{
"fixed": "*"
},
{
"introduced": "17.0"
},
{
"fixed": "*"
},
{
"introduced": "07b8f441ca711f9812fad9e9115bab3c3aa92f79"
},
{
"fixed": "*"
}
],
"source": "AFFECTED_FIELD"
}
],
"cna_assigner": "EEF"
}{
"cpe": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "17.0"
},
{
"fixed": "26.2.5.20"
},
{
"introduced": "27.0"
},
{
"fixed": "27.3.4.11"
},
{
"introduced": "28.0"
},
{
"fixed": "28.4.3"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}