CVE-2026-48827
Description
Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH access to git repositories outside the configured git server root directory.
Applications are affected if they use org.apache.sshd:sshd-git. Applications not using sshd-git are not affected.
Users are advised to upgrade affected applications to Apche MINA SSHD 2.18.0, which fixes the issue.
The issue also is present in the pre-release milestones 3.0.0-M1 to 3.0.0-M3 for a new upcoming new major version 3.0.0. Again, applications are affected only if they use sshd-git. Upgrade affected applications to 3.0.0-M4.
We would like to point out that a professional git server should not rely solely on file system layout and permissions, but should implement additional security controls to govern access to git repositories and operations allowed on particular git repositories.
Affected products
1Patches
14dd93b9371aeMention security fix
1 file changed · +1 −1
docs/changes/2.18.0.md+1 −1 modified@@ -4,7 +4,7 @@ * [GH-743](https://github.com/apache/mina-sshd/issues/743) Ensure the Java `ServiceLoader` use a singleton `SftpFileSystemProvider` * [GH-879](https://github.com/apache/mina-sshd/issues/879) Close SSH channel gracefully on exception in port forwarding -* Improve handling of repository paths in `sshd-git`. +* **Security**: Improve handling of repository paths in `sshd-git`. Resolves [CVE-2026-48827](https://www.cve.org/CVERecord?id=CVE-2026-48827), [announced](https://lists.apache.org/thread/910kq9ghm6js0k1yhhbrdm9sf5tqq9c9) 2026-05-30. ## New Features
Vulnerability mechanics
Root cause
"Missing path validation in sshd-git allows path traversal sequences in repository paths to escape the configured git server root directory."
Attack vector
An attacker authenticated over SSH can supply a crafted repository path containing path traversal sequences (e.g., `../`) to git operations like `git-upload-pack` or `git-receive-pack`. The lack of path validation allows the attacker to access git repositories located outside the configured git server root directory [CWE-22]. This results in unauthorized read access (and potentially limited write access) to arbitrary git repositories on the filesystem.
Affected code
The vulnerability resides in the `sshd-git` module of Apache MINA SSHD, specifically in the handling of repository paths for git operations such as `git-upload-pack` and `git-receive-pack`. The patch file `docs/changes/2.18.0.md` indicates that the fix improves handling of repository paths in `sshd-git` [patch_id=4195393].
What the fix does
The patch updates the changelog entry for version 2.18.0 to mark the repository path handling improvement as a security fix resolving CVE-2026-48827 [patch_id=4195393]. While the diff only shows a documentation change, the actual code fix (not shown in this patch) must validate and sanitize repository paths to prevent traversal outside the configured git server root directory. Users are advised to upgrade to MINA SSHD 2.18.0 or 3.0.0-M4.
Preconditions
- configThe application must use the org.apache.sshd:sshd-git module.
- authThe attacker must have SSH access authenticated to the server.
- inputThe attacker must be able to supply a repository path to a git operation (e.g., git clone, push).
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.