CVE-2026-48855

Name of the Vulnerable Software and Affected Versions Erlang OTP versions 17.0 through 29.0.1 Erlang OTP versions prior to 28.5.0.2 Erlang OTP versions prior to 27.3.4.13

Description An issue in the ssh sftpd module allows for file discovery through the exposure of sensitive information. The SSH FXP READLINK handler sends the raw result of the file:read link/2 function to the client without using chroot filename/2 to remove the backend root prefix. Consequently, an authenticated SFTP client can create a symlink inside the chroot pointing to /, and reading it back via SSH FXP READLINK returns the absolute backend root path (e.g., /data/sftp) instead of the chrooted value /. This discloses the absolute filesystem path of the SFTP root directory and any symlink targets within it, although file contents, credentials, and paths outside the root directory remain inaccessible. This issue is associated with the file lib/ssh/src/ssh sftpd.erl and requires the SFTP subsystem to be enabled with the root option configured in the ssh sftpd:subsystem spec/1 call.

Recommendations Update Erlang OTP to version 29.0.2 or later. Update Erlang OTP to version 28.5.0.2 or later. Update Erlang OTP to version 27.3.4.13 or later. Use OS-level chroot to run the Erlang VM or SFTP server process in an isolated filesystem environment. Ensure the SFTP server port is not reachable from untrusted machines. Ensure no sensitive information is inferrable from the absolute path of the configured root directory.