CVE-2026-45695

Name of the Vulnerable Software and Affected Versions Kopia versions prior to 0.22.4

Description Kopia's HTTP server, when started with the --without-password flag, accepts unauthenticated requests to the '/api/v1/repo/exists' endpoint. The handler forwards a storage configuration provided by the requester to blob.NewStorage. For SFTP backends where externalSSH is set to true, the application constructs a process command line by splitting the sshArguments variable on spaces and passing the result to exec.CommandContext("ssh"). An attacker can inject an -oProxyCommand=<cmd> token into the sshArguments variable, which causes OpenSSH to execute the specified command via the system shell before any TCP connection is attempted. This allows for arbitrary command execution with the privileges of the Kopia process user.

Recommendations Update Kopia to version 0.22.4 or later. As a temporary mitigation, avoid starting the server without a password when it is listening on a non-loopback interface.