CVE-2026-23942 is a path traversal vulnerability classified under CWE-22 found in the ssh_sftpd module of Erlang OTP, specifically in the program files lib/ssh/src/ssh_sftpd.erl and the routine ssh_sftpd:is_within_root/2. The vulnerability stems from the use of string prefix matching (via lists:prefix/2) to verify if a requested file path resides within the configured root directory for the SFTP server. This approach is flawed because it does not properly validate path components, allowing paths that share a common prefix with the root directory but are actually outside it to be accepted. For example, if the root directory is set to /home/user1, paths such as /home/user10 or /home/user1_backup are incorrectly considered valid, enabling authenticated users to access sibling directories and potentially sensitive files outside the intended root. The affected OTP versions range from 17.0 up to 28.4.1, including specific patch releases 27.3.4.9 and 26.2.5.18, and corresponding ssh versions from 3.0.1 to 5.5.1 and certain patch versions. The vulnerability does not require user interaction but does require authentication, and it does not affect confidentiality or availability directly but can lead to unauthorized information disclosure. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the moderate risk posed by this vulnerability. No public exploits are known at this time, but the flaw represents a significant logic error in path validation that could be exploited in environments where Erlang OTP's ssh_sftpd is used for SFTP services.

The primary impact of CVE-2026-23942 is unauthorized access to files outside the intended SFTP root directory by authenticated users. This can lead to information disclosure of sensitive files stored in sibling directories that share a prefix with the configured root. While it does not allow remote unauthenticated access or direct code execution, the breach of directory isolation undermines the security model of the SFTP server. Organizations relying on Erlang OTP's ssh_sftpd for secure file transfers may face data leakage risks, especially if sensitive data is stored in adjacent directories. This can affect confidentiality and potentially lead to compliance violations or data breaches. The vulnerability could also facilitate lateral movement within a compromised environment if attackers gain authenticated access. Given the widespread use of Erlang OTP in telecommunications, messaging systems, and distributed applications, the impact could be significant in sectors such as finance, telecommunications, and government infrastructure.

To mitigate CVE-2026-23942, organizations should upgrade Erlang OTP to versions beyond OTP 28.4.1 or the latest patched releases where the vulnerability is fixed. If immediate upgrading is not feasible, administrators should implement strict path validation controls on the SFTP server side, ensuring that path checks verify full path components rather than relying on prefix matching. Employing chroot jails or containerization to isolate the SFTP environment can further limit exposure. Monitoring and logging SFTP access for unusual directory traversal attempts can help detect exploitation attempts. Additionally, restricting SFTP access to only trusted users and enforcing strong authentication mechanisms reduces risk. Regularly auditing file system permissions and directory structures to avoid sensitive data residing in sibling directories with similar prefixes is also recommended. Finally, organizations should stay informed about Erlang OTP security advisories and apply patches promptly.