CVE-2026-53422

Source
https://cve.org/CVERecord?id=CVE-2026-53422
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53422.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53422
Aliases
Downstream
Published
2026-07-02T16:06:03.802Z
Modified
2026-07-09T21:16:11.017788935Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured root
Details

Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory.

The SSHFXPREALPATH handler in sshsftpd calls relatefilename/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the iswithinroot/2 check without being resolved. The un-canonicalized path then enters resolvesymlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths.

An authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (SSHFXPNAME when the path resolves successfully, SSHFXNOSUCHFILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points.

The vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities.

This vulnerability is associated with program files lib/ssh/src/sshsftpd.erl and program routine sshsftpd:handle_op/4.

This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "3.0.1"
                },
                {
                    "fixed": "*"
                },
                {
                    "introduced": "17.0"
                },
                {
                    "fixed": "*"
                },
                {
                    "introduced": "84adefa331c4159d432d22840663c38f155cd4c1"
                },
                {
                    "fixed": "*"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53422.json",
    "cwe_ids": [
        "CWE-204"
    ],
    "cna_assigner": "EEF"
}
References

Affected packages

Git / github.com/erlang/otp

Affected ranges

Type
GIT
Repo
https://github.com/erlang/otp
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "17.0"
        },
        {
            "fixed": "27.3.4.14"
        },
        {
            "introduced": "28.0"
        },
        {
            "fixed": "28.5.0.3"
        },
        {
            "introduced": "29.0"
        },
        {
            "fixed": "29.0.3"
        }
    ]
}

Affected versions

OTP-17.*
OTP-17.0
OTP-18.*
OTP-18.0
OTP-18.0-rc1
OTP-19.*
OTP-19.0
OTP-19.0-rc1
OTP-19.0-rc2
OTP-20.*
OTP-20.0
OTP-20.0-rc1
OTP-20.0-rc2
OTP-21.*
OTP-21.0
OTP-21.0-rc1
OTP-21.0-rc2
OTP-22.*
OTP-22.0
OTP-22.0-rc1
OTP-22.0-rc2
OTP-22.0-rc3
OTP-23.*
OTP-23.0
OTP-23.0-rc1
OTP-23.0-rc2
OTP-23.0-rc3
OTP-24.*
OTP-24.0
OTP-24.0-rc1
OTP-24.0-rc2
OTP-24.0-rc3
OTP-25.*
OTP-25.0
OTP-25.0-rc1
OTP-25.0-rc2
OTP-25.0-rc3
OTP-26.*
OTP-26.0
OTP-26.0-rc1
OTP-26.0-rc2
OTP-26.0-rc3
OTP-27.*
OTP-27.0
OTP-27.0-rc1
OTP-27.0-rc2
OTP-27.0-rc3
OTP-27.1
OTP-27.2
OTP-27.3
OTP-27.3.1
OTP-27.3.2
OTP-27.3.3
OTP-27.3.4
OTP-27.3.4.1
OTP-27.3.4.10
OTP-27.3.4.11
OTP-27.3.4.12
OTP-27.3.4.13
OTP-27.3.4.2
OTP-27.3.4.3
OTP-27.3.4.4
OTP-27.3.4.5
OTP-27.3.4.6
OTP-27.3.4.7
OTP-27.3.4.8
OTP-27.3.4.9
OTP-28.*
OTP-28.0
OTP-28.1
OTP-28.4
OTP-28.5
OTP-28.5.0.1
OTP-28.5.0.2
OTP-29.*
OTP-29.0
OTP-29.0.1
OTP-29.0.2
Other
patch-base-27
patch-base-28

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53422.json"