CVE-2026-32147

Name of the Vulnerable Software and Affected Versions Erlang OTP versions 17.0 through 28.4.3 Erlang OTP versions 17.0 through 27.3.4.11 Erlang OTP versions 17.0 through 26.2.5.20

Description A path traversal issue in the Erlang OTP ssh ssh sftpd module allows an authenticated SFTP user to modify file attributes outside the configured chroot directory. The SFTP daemon stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH FXP FSETSTAT is issued on such a handle, file attributes like permissions, ownership, and timestamps are modified on the real filesystem path, bypassing the root directory boundary. This requires the server to be configured with the root option and for the target file to exist on the real filesystem at the same relative path. This flaw only allows the modification of file attributes; file contents cannot be read or altered. If the SSH daemon runs as root, an attacker can achieve privilege escalation by setting the setuid bit on binaries, changing ownership of sensitive files, or making system configurations world-writable. The issue is associated with the file lib/ssh/src/ssh sftpd.erl and the functions ssh sftpd:do open/4 and ssh sftpd:handle op/4.

Recommendations Update Erlang OTP to a version later than 28.4.3, 27.3.4.11, or 26.2.5.20 depending on the release branch. Do not use the root option in ssh sftpd:subsystem spec/1 and instead use OS-level chroot or container isolation to confine SFTP users. Ensure the Erlang VM is not running as a privileged OS user to limit the impact of attribute modifications.