CVE-2026-23942— SFTP root escape via component-agnostic prefix check in ssh_sftpd
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-23942
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SFTP root escape via component-agnostic prefix check in ssh_sftpd
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2. The SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Erlang/OTP 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Erlang/OTP是Erlang/OTP开源的一个JavaScript编写的处理处理异常的库。该库可以捕捉node.js内置API引发的异常。 Erlang/OTP 17.0至28.4.1版本、27.3.4.9版本和26.2.5.18版本存在安全漏洞,该漏洞源于路径名限制不当,可能导致路径遍历攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-23942
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-23942
请登录查看更多情报信息。
Same Patch Batch · Erlang · 2026-03-13 · 3 CVEs total
| CVE-2026-23943 | Pre-auth SSH DoS via unbounded zlib inflate | |
| CVE-2026-23941 | Request smuggling via first-wins Content-Length parsing in inets httpd |
IV. Related Vulnerabilities
Same product: OTP
- CVE-2026-32147
SFTP chroot bypass via path traversal in SSH_FXP_FSETSTAT - CVE-2026-28808
ScriptAlias CGI targets bypass directory auth in inets httpd - CVE-2026-32144
OCSP designated-responder authorization bypass via missing s - CVE-2026-28810
Predictable DNS Transaction IDs Enable Cache Poisoning in Bu - CVE-2026-23941
Request smuggling via first-wins Content-Length parsing in i
Same vendor: Erlang
- CVE-2026-32147
SFTP chroot bypass via path traversal in SSH_FXP_FSETSTAT - CVE-2026-28808
ScriptAlias CGI targets bypass directory auth in inets httpd - CVE-2026-32144
OCSP designated-responder authorization bypass via missing s - CVE-2026-28810
Predictable DNS Transaction IDs Enable Cache Poisoning in Bu - CVE-2026-23941
Request smuggling via first-wins Content-Length parsing in i
Same weakness: CWE-22
- CVE-2026-8274
npitre cramfs-tools Directory cramfsck.c do_directory path t - CVE-2022-50956
WordPress Plugin amministrazione-aperta 3.7.3 Local File Rea - CVE-2026-8215
Industrial Application Software IAS Canias ERP RMI iasReques - CVE-2026-42605
AzuraCast: Path Traversal in `currentDirectory` Parameter En - CVE-2026-42574
apko dirFS has a symlink-following path traversal that allow
V. Comments for CVE-2026-23942
No comments yet