CVE-2026-23942 in OTP
Summary
by MITRE • 03/13/2026
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.
This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2.
The SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root.
This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/21/2026
The vulnerability identified as CVE-2026-23942 represents a critical path traversal flaw within the Erlang Open Telecom Platform's SSH SFTP server implementation. This weakness resides in the ssh_sftpd module where the system employs improper pathname validation techniques that create exploitable conditions for authenticated attackers. The vulnerability stems from the use of string prefix matching through the lists:prefix/2 function instead of robust path component validation mechanisms, creating a fundamental security gap in directory access controls. The flaw specifically impacts the ssh_sftpd:is_within_root/2 routine which fails to properly sanitize user-supplied paths before determining their relationship to the configured root directory. This design oversight allows malicious actors to bypass intended directory restrictions by leveraging common naming patterns that share prefixes with legitimate root paths, effectively undermining the security boundaries established by the system administrators.
The technical implementation of this vulnerability demonstrates a classic path traversal attack vector where the system's validation logic is insufficiently robust. When the SFTP server processes file operations, it performs prefix matching rather than comprehensive path analysis, enabling attackers to navigate beyond the intended root directory boundaries. For instance, if the configured root directory is set to /home/user1, an attacker can access directories such as /home/user10 or /home/user1_backup because the system incorrectly determines these paths as being within the root directory based solely on the prefix match. This behavior violates fundamental security principles of least privilege and proper access control enforcement, creating opportunities for unauthorized data access and potential information disclosure. The vulnerability affects a broad range of Erlang OTP versions including releases from 17.0 through 28.4.1, with specific impacted versions in OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh module versions ranging from 3.0.1 through 5.5.1, 5.2.11.6, and 5.1.4.14, indicating a long-standing issue that has persisted across multiple major releases.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential data compromise and system integrity violations. Authenticated users can exploit this weakness to traverse directories that should remain restricted, potentially accessing sensitive files, system configuration data, or other resources that should be isolated from normal user operations. The attack surface is particularly concerning in environments where SFTP servers are used for file transfers and remote access, as it allows attackers to escalate privileges and gain access to data that should be protected by directory access controls. This vulnerability directly relates to CWE-22 - Improper Limitation of a Pathname to a Restricted Directory, which is classified as a path traversal weakness in the Common Weakness Enumeration catalog. The attack pattern aligns with ATT&CK technique T1078 - Valid Accounts, as the vulnerability requires authentication but leverages the legitimate access to perform unauthorized directory traversal operations. Additionally, this weakness can facilitate further exploitation through techniques such as T1566 - Phishing with Social Engineering, where attackers might use the path traversal capability to access sensitive files that could be used for credential theft or privilege escalation.
Mitigation strategies for this vulnerability require immediate attention from system administrators and security teams responsible for Erlang OTP installations. The primary recommendation involves applying the latest available security patches and updates from the Erlang OTP maintainers, specifically targeting versions that contain fixes for the ssh_sftpd path validation logic. Organizations should also implement additional protective measures including network segmentation, limiting SFTP server access to trusted networks, and implementing robust monitoring for suspicious file access patterns. Configuration hardening practices should enforce stricter path validation mechanisms and ensure that root directory paths are carefully selected to minimize potential prefix conflicts. System administrators should also consider implementing additional access controls through operating system level restrictions and file permission settings to provide defense-in-depth protection against potential exploitation of this vulnerability. Regular security assessments and penetration testing should be conducted to identify similar path traversal vulnerabilities in other components of the system architecture, as this type of weakness often indicates broader architectural issues with input validation and access control implementation.