CVE-2026-23942: SFTP root escape via component-agnostic prefix check in ssh_sftpd

Published Mar 13, 2026
·
Updated

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2. The SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.

Affected Software

10 affected componentsFixes available
Erlang OTP>=17.0<28.4.1
Erlang ssh>=3.0.1<5.5.1
Microsoft azl3 erlang 26.2.5.17-1
Patch available
Microsoft cbl2 erlang 25.3.2.21-4
Patch available
Erlang Erlang\/otp>=17.0<26.2.5.18
Erlang Erlang\/otp>=27.0<27.3.4.9
Erlang Erlang\/otp>=28.0<28.4.1
Erlang Erlang\/ssh>=3.0.1<5.1.4.14
Erlang Erlang\/ssh>=5.2<5.2.11.6
Erlang Erlang\/ssh>=5.5<=5.5.1

Remediation

Patch Available

https://github.com/erlang/otp/commit/27688a824f753d4c16371dc70e88753fb410590b

Patch Available

https://github.com/erlang/otp/commit/5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759

Patch Available

https://github.com/erlang/otp/commit/9e0ac85d3485e7898e0da88a14be0ee2310a3b28

Event History

Mar 13, 2026
CVE Published
via MITRE·09:11 AM
Data Sourced
via MITRE·09:11 AM
DescriptionWeakness
Data Sourced
via NVD·07:54 PM
RemedyDescriptionSeverityWeaknessAffected Software
Mar 17, 2026
Data Sourced
via Microsoft·08:01 AM
DescriptionSeverityWeaknessAffected Software
Updated
via Microsoft·08:01 AM
Affected Software
Updated
via Microsoft·08:01 AM
DescriptionSeverity
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-23942?

CVE-2026-23942 has a significant severity due to its potential for causing path traversal vulnerabilities in affected software versions.

2

How do I fix CVE-2026-23942?

To fix CVE-2026-23942, upgrade to Erlang OTP version 28.4.2 or later, and ensure your Erlang SSH implementation is updated accordingly.

3

Which software is affected by CVE-2026-23942?

CVE-2026-23942 affects Erlang OTP versions between 17.0 and 28.4.1, and Erlang SSH versions between 3.0.1 and 5.5.1.

4

What type of vulnerability is CVE-2026-23942?

CVE-2026-23942 is classified as a Path Traversal vulnerability that allows unauthorized access to restricted directories.

5

Is there a known exploit for CVE-2026-23942?

As of now, there is no publicly disclosed exploit for CVE-2026-23942, but it poses serious security risks if unpatched.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203