CVE-2026-41589 — AI Deep Analysis Summary

🚨 **Essence**: A Path Traversal flaw in Wish SCP middleware. 📉 **Consequences**: Attackers can read/write **arbitrary files** and create directories outside the allowed root.…

🛡️ **Root Cause**: **CWE-22** (Path Traversal). The SCP middleware fails to sanitize input. It allows `../` sequences to escape the designated directory boundary. 🚫 No proper validation of file paths.

🎯 **Affected**: **charmbracelet/wish**. Specifically versions **2.0.0** up to (but not including) **2.0.1**. 📦 Any server using this specific SCP middleware configuration is at risk.

💀 **Capabilities**: 📖 **Read**: Access sensitive server files. ✍️ **Write**: Inject malicious files. 📂 **Create**: Make directories outside the chroot/root. ⚠️ High impact on Confidentiality & Integrity.

🔑 **Threshold**: **Medium**. Requires **PR:L** (Low Privileges). You need valid SSH credentials to connect. 🚶 Not remote unauthenticated, but easy for any valid user to exploit.

🧪 **Exploit Status**: No public PoC listed in data. 🕵️ However, path traversal is a standard technique. Wild exploitation is likely if attackers know the target uses Wish SCP. 🕸️

🔍 **Self-Check**: 1. Check Wish version (`< 2.0.1`). 2. Scan for SCP service on SSH port. 3. Test if `../` in filenames escapes the root dir. 🧪 Use standard path traversal payloads.

✅ **Fixed**: Yes! Patched in **v2.0.1**. 🛠️ Upgrade immediately. Reference: [GitHub Advisory](https://github.com/charmbracelet/wish/security/advisories/GHSA-xjvp-7243-rg9h).

🚧 **No Patch?**: Disable SCP middleware if not needed. 🚫 Restrict user permissions. 🛑 Implement strict path validation at the application level. Isolate the service.

🔥 **Urgency**: **HIGH**. CVSS Score indicates High Impact. 📅 Published May 2026. Update to v2.0.1 ASAP to prevent arbitrary file access. Don't wait!