CVE-2026-32147
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory.
The SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.
Any authenticated SFTP user on a server configured with the root option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector.
If the SSH daemon runs as root, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable.
This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4.
This issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
8- osv-coords4 versionspkg:rpm/opensuse/erlang27&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/erlang&distro=openSUSE%20Leap%2016.0pkg:rpm/suse/erlang&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/erlang&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 27.1.3-2.1+ 3 more
- (no CPE)range: < 27.1.3-2.1
- (no CPE)range: < 27.1.3-160000.5.1
- (no CPE)range: < 27.1.3-160000.5.1
- (no CPE)range: < 27.1.3-160000.5.1
Patches
Vulnerability mechanics
References
5- github.com/erlang/otp/commit/28c5d5a6c5f873dc701b597276271763e7d1c004nvdPatch
- cna.erlef.org/cves/CVE-2026-32147.htmlnvdVendor Advisory
- github.com/erlang/otp/security/advisories/GHSA-28jg-mw9x-hpm5nvdVendor Advisory
- osv.dev/vulnerability/EEF-CVE-2026-32147nvdThird Party Advisory
- www.erlang.org/doc/system/versions.htmlnvdProduct
News mentions
0No linked articles in our index yet.