PT-2026-55267 · Unknown · Erlang/Otp

Jakub Witczak

+1

·

Published

2026-07-02

·

Updated

2026-07-02

·

CVE-2026-53422

CVSS v4.0

2.3

Low

VectorAV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Erlang OTP versions 17.0 through 29.0.3 Erlang OTP versions 17.0 through 28.5.0.3 Erlang OTP versions 17.0 through 27.3.4.14
Description An observable response discrepancy in the ssh sftpd module allows an authenticated SFTP user to enumerate files and directories outside the configured root directory. The SSH FXP REALPATH handler calls relate file name/3 with Canonicalize=false, which allows path traversal components to bypass the is within root/2 check. The path then enters resolve symlinks/2, which performs read link() syscalls on arbitrary filesystem paths. An attacker can use a crafted traversal path in a REALPATH request to create a path-existence oracle, as the server returns SSH FXP NAME if the path exists and SSH FX NO SUCH FILE if it does not. This issue is associated with the file lib/ssh/src/ssh sftpd.erl and the function ssh sftpd:handle op/4. This flaw only leaks the existence of paths and does not provide access to file contents or credentials.
Recommendations Update Erlang OTP to a version newer than 29.0.3, 28.5.0.3, and 27.3.4.14. Use OS-level chroot to run the Erlang VM or SFTP server process in an isolated filesystem environment. Restrict access to the SFTP server port so it is not reachable from untrusted machines. Ensure that no sensitive information is inferrable from the existence or non-existence of paths on the host filesystem.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-53422
GHSA-H9PW-H5W4-H976

Affected Products

Erlang/Otp