Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3256 articles · 170413 vulns · 37/41 feeds (7d)
← Back to list
—
CVE-2026-53422PATCHED
erlang · otp

SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured root

Description

Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory. The SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the is_within_root/2 check without being resolved. The un-canonicalized path then enters resolve_symlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths. An authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (SSH_FXP_NAME when the path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points. The vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_op/4. This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.

Affected Products

VendorProductVersions
erlangotp3.0.1, 17.0, 84adefa331c4159d432d22840663c38f155cd4c1

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
open sourceerlang/otpcert_advisory90%

References

  • https://github.com/erlang/otp/security/advisories/GHSA-h9pw-h5w4-h976(vendor-advisory, related)
  • https://cna.erlef.org/cves/CVE-2026-53422.html(related)
  • https://osv.dev/vulnerability/EEF-CVE-2026-53422(related)
  • https://www.erlang.org/doc/system/versions.html#order-of-versions(x_version-scheme)
  • https://github.com/erlang/otp/commit/059e5785ef8c1d423820ca633fb7b37f47645172(patch)
  • https://github.com/erlang/otp/commit/86622cfaacf57a02c7645d1999f946846b504c94(patch)
  • https://github.com/erlang/otp/commit/c5a8f50ae68888ff243c5c741a06d2b3a4b48b7a(patch)

Related News (2 articles)

Tier B
BSI Advisories12h ago
[NEU] [mittel] Erlang/OTP: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
VulDB1d ago
CVE-2026-53422 | Erlang OTP up to 29.0.3 SSH_FXP_REALPATH ssh_sftpd.erl read_link response discrepancy
→ No new info (linked only)
CISA KEV❌ No
Actively exploited❌ No
Patch available
*
CWECWE-204
PublishedJul 2, 2026
Last enriched1d agov2
Trending Score30
Source articles2
Independent2
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

NONECVE-2026-55950EXP
DTLS listener crash via race condition in dtls_packet_demux causes denial of service for all sessions
Trending: 58
NONECVE-2026-55952EXP
TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension
Trending: 52
NONECVE-2026-54886EXP
SSH SFTP server denial of service via extended channel data infinite loop
Trending: 48
NONECVE-2026-54887
DTLS server cookie bypass during startup window due to empty initial cookie secret
Trending: 30
NONECVE-2026-54891
Plaintext APPLICATION_DATA injected during TLS handshake delivered to client application post-handshake in ssl
Trending: 30

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 2, 2026
Discovered by ZDM
Jul 2, 2026
Updated: description, severity
Jul 2, 2026
Patch Available
Jul 3, 2026

Version History

v2
Last enriched 1d ago
v2Tier C1d ago

Updated description with new details, changed severity to HIGH, and noted that no exploit exists.

descriptionseverity
via VulDB
v11d ago

Initial creation