{"id":"EEF-CVE-2026-32147","summary":"SFTP chroot bypass via path traversal in SSH_FXP_FSETSTAT","details":"## Summary\n\nImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory.\n\nThe SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.\n\nAny authenticated SFTP user on a server configured with the root option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector.\n\nIf the SSH daemon runs as root, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15.\n\n## Workaround\n\n* Do not use the root option in ssh_sftpd:subsystem_spec/1, and instead rely on OS-level chroot or container isolation to confine SFTP users.\n* Ensure the Erlang VM is not running as a privileged OS user. Running the VM as an unprivileged user limits the impact of this vulnerability, since attribute modifications are constrained by that user's OS-level permissions.\n\n## Configuration\n\nThe SFTP subsystem must be configured with the root option in ssh_sftpd:subsystem_spec/1. The root option is not set by default.","aliases":["CVE-2026-32147","GHSA-28jg-mw9x-hpm5"],"modified":"2026-04-22T04:13:25.005Z","published":"2026-04-21T12:01:20.350Z","database_specific":{"cwe_ids":["CWE-22"],"cpe_ids":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"capec_ids":[]},"references":[{"type":"ADVISORY","url":"https://github.com/erlang/otp/security/advisories/GHSA-28jg-mw9x-hpm5"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-32147.html"},{"type":"WEB","url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"},{"type":"FIX","url":"https://github.com/erlang/otp/commit/28c5d5a6c5f873dc701b597276271763e7d1c004"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/erlang/otp","events":[{"introduced":"07b8f441ca711f9812fad9e9115bab3c3aa92f79"},{"fixed":"28c5d5a6c5f873dc701b597276271763e7d1c004"}]}],"versions":["OTP-17.0","OTP-18.0","OTP-18.0-rc1","OTP-19.0","OTP-19.0-rc1","OTP-19.0-rc2","OTP-20.0","OTP-20.0-rc1","OTP-20.0-rc2","OTP-21.0","OTP-21.0-rc1","OTP-21.0-rc2","OTP-22.0","OTP-22.0-rc1","OTP-22.0-rc2","OTP-22.0-rc3","OTP-23.0","OTP-23.0-rc1","OTP-23.0-rc2","OTP-23.0-rc3","OTP-24.0","OTP-24.0-rc1","OTP-24.0-rc2","OTP-24.0-rc3","OTP-25.0","OTP-25.0-rc1","OTP-25.0-rc2","OTP-25.0-rc3","OTP-26.0","OTP-26.0-rc1","OTP-26.0-rc2","OTP-26.0-rc3","OTP-26.1","OTP-26.2","OTP-26.2.3","OTP-26.2.4","OTP-26.2.5","patch-base-26"],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2026-32147.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"}],"credits":[{"name":"John Downey","type":"FINDER"},{"name":"Michał Wąsowski","type":"REMEDIATION_DEVELOPER"},{"name":"Jakub Witczak","type":"REMEDIATION_REVIEWER"}]}