CVE-2026-45695 in Kopia
Summary
by MITRE • 07/16/2026
Kopia is a cross-platform backup tool for Windows, macOS, and Linux with fast incremental backups, client-side end-to-end encryption, compression, and data deduplication. Prior to 0.23.0, Kopia's HTTP server started with --without-password accepts unauthenticated requests to /api/v1/repo/exists and forwards attacker-supplied SFTP storage configuration to blob.NewStorage, where externalSSH: true and sshArguments containing -oProxyCommand=<cmd> can cause exec.CommandContext("ssh") to invoke the command through OpenSSH. This issue is fixed in version 0.23.0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in Kopia versions prior to 0.23.0 represents a critical authentication bypass and remote code execution flaw that affects the HTTP server component when operating in unauthenticated mode. This security weakness stems from improper input validation and handling of SFTP storage configurations within the blob storage subsystem, creating a dangerous attack vector for malicious actors seeking unauthorized access to backup systems.
The technical implementation of this vulnerability occurs through the interaction between the --without-password flag and the /api/v1/repo/exists endpoint, which accepts unauthenticated requests without proper authorization checks. When an attacker supplies a malicious SFTP storage configuration containing externalSSH: true and sshArguments with -oProxyCommand=<cmd> parameters, the system forwards this configuration directly to the blob.NewStorage function. This function processes the attacker-controlled SSH arguments and subsequently invokes exec.CommandContext("ssh") with the malicious proxy command, allowing arbitrary command execution on the target system through the OpenSSH client.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass complete system compromise and data exfiltration capabilities. Attackers can leverage this flaw to execute arbitrary commands with the privileges of the Kopia service account, potentially gaining access to backup repositories, sensitive data stored within them, and underlying infrastructure resources. The vulnerability affects all supported platforms including Windows, macOS, and Linux, making it particularly dangerous for organizations operating heterogeneous environments where backup systems serve as central points of data storage and recovery.
This vulnerability aligns with CWE-20 Improper Input Validation and CWE-78 Improper Neutralization of Special Elements used in an OS Command, representing a classic command injection attack vector that exploits trust relationships within the application's architecture. The issue also maps to ATT&CK technique T1059.001 Command and Scripting Interpreter: PowerShell and T1203 Exploitation for Client Execution, as it enables attackers to execute arbitrary code on target systems through legitimate system interfaces. Organizations should prioritize immediate remediation by upgrading to Kopia version 0.23.0 or later, implementing network segmentation controls around backup servers, and monitoring for suspicious API access patterns that might indicate exploitation attempts.
The fix implemented in version 0.23.0 addresses the root cause by properly validating and sanitizing SFTP storage configuration parameters before passing them to the underlying SSH client implementation. This mitigation ensures that externalSSH flags and proxy command arguments are properly validated, preventing arbitrary command execution through crafted storage configurations. Security teams should also consider implementing additional controls such as restricting access to the HTTP server endpoints, enabling authentication mechanisms, and conducting regular security assessments of backup infrastructure components to prevent similar vulnerabilities from emerging in other system components.
Organizations relying on Kopia for backup operations must understand that this vulnerability represents a significant risk to their data protection strategies, as compromised backup systems can provide attackers with extensive access to historical data and potentially serve as entry points for broader network infiltration. The combination of client-side encryption, deduplication, and the unauthenticated API endpoints creates a complex attack surface that requires careful monitoring and defense-in-depth approaches to protect against exploitation attempts targeting these critical infrastructure components.