Erlang/OTP SSH chroot Path Traversal Vulnerability (CVE-2026-32147)

Vulnerability Overview Vulnerability Name: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in SFTP chroot CVE ID: CVE-2026-32147 CVSS Score: 5.3 / 10 (Moderate) Vulnerability Type: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) Description: The SFTP daemon ( ) stores the original, user-provided path in file handles instead of the chroot-resolved path. When an operation targets such a file handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem, thereby bypassing the directory boundary. Impact: This is a path traversal vulnerability that breaks SFTP directory isolation. Any authenticated SFTP user on a server configured with the option can modify file attributes of files located outside the intended chroot boundary on the real filesystem. Prerequisite: The target file must exist on the real filesystem (e.g., ). The attacker needs write permission to create the corresponding path, then use to modify the attributes of the real . Limitation: This vulnerability only allows modification of file attributes (permissions, ownership, timestamps); file contents cannot be read or modified. Severity: If the SSH daemon runs as root, an attacker could leverage this vulnerability for direct privilege escalation (e.g., setting the suid bit, changing ownership of sensitive files, or making system configuration world-writable). --- Affected Scope Determining Affected/Uunaffected Versions: Version greater than or equal to the listed patched version: Unaffected. Version matching the listed affected version expression: Affected. If version does not match the affected expression: Unaffected. Note: Versions released before the introduction of the new OTP version scheme were never listed and therefore cannot be compared. --- Remediation Workarounds (Temporary Mitigations): 1. For affected versions, the recommended mitigation is to not use the option in . 2. Instead, rely on OS-level chroot or container isolation to restrict SFTP users. 3. Ensure the Erlang VM is not running under a privileged OS user (see glossary for details). 4. Running the VM as a non-privileged user can mitigate the impact of the vulnerability because attribute modifications are limited by that user's OS-level permissions. Credits: Thanks to John Downey for discovering and responsibly disclosing this vulnerability to the Erlang/OTP project.

Goal Reached Thanks to every supporter — we hit 100%!

Erlang/OTP SSH chroot Path Traversal Vulnerability (CVE-2026-32147)

More from this source