CVE-2026-23942: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Erlang OTP
CVE-2026-23942 is a path traversal vulnerability in the Erlang OTP ssh_sftpd module. The vulnerability arises because the SFTP server uses string prefix matching instead of proper path component validation to check if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common prefix with the root directory, potentially exposing unauthorized files. The issue affects multiple OTP versions from 17. 0 up to 28. 4. 1 and related ssh versions. The CVSS score is 5. 3, indicating a medium severity level.
AI Analysis
Technical Summary
This vulnerability in Erlang OTP's ssh_sftpd module (specifically in ssh_sftpd:is_within_root/2) is due to improper limitation of a pathname to a restricted directory (CWE-22). The SFTP server incorrectly uses lists:prefix/2 for path validation, which only checks if the path string starts with the root directory string, rather than validating path components. Consequently, paths like /home/user10 or /home/user1_backup are incorrectly considered inside the root directory /home/user1, allowing authenticated users to access sibling directories. Affected OTP versions range from 17.0 through 28.4.1, including specific patch versions noted. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity with network attack vector, low complexity, and low impact on confidentiality and integrity.
Potential Impact
Authenticated users of the vulnerable Erlang OTP ssh_sftpd SFTP server can bypass directory restrictions and access files outside the intended root directory if those directories share a common prefix with the root. This could lead to unauthorized disclosure of files in sibling directories. The impact is limited by the requirement for authentication and the low confidentiality and integrity impact scores.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. There are no patch links provided in the available data. Until an official fix is released, administrators should consider restricting user access or monitoring SFTP usage carefully to detect potential abuse of this path traversal issue. Avoid relying solely on string prefix matching for path validation in custom configurations.
CVE-2026-23942: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Erlang OTP
Description
CVE-2026-23942 is a path traversal vulnerability in the Erlang OTP ssh_sftpd module. The vulnerability arises because the SFTP server uses string prefix matching instead of proper path component validation to check if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common prefix with the root directory, potentially exposing unauthorized files. The issue affects multiple OTP versions from 17. 0 up to 28. 4. 1 and related ssh versions. The CVSS score is 5. 3, indicating a medium severity level.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Erlang OTP's ssh_sftpd module (specifically in ssh_sftpd:is_within_root/2) is due to improper limitation of a pathname to a restricted directory (CWE-22). The SFTP server incorrectly uses lists:prefix/2 for path validation, which only checks if the path string starts with the root directory string, rather than validating path components. Consequently, paths like /home/user10 or /home/user1_backup are incorrectly considered inside the root directory /home/user1, allowing authenticated users to access sibling directories. Affected OTP versions range from 17.0 through 28.4.1, including specific patch versions noted. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity with network attack vector, low complexity, and low impact on confidentiality and integrity.
Potential Impact
Authenticated users of the vulnerable Erlang OTP ssh_sftpd SFTP server can bypass directory restrictions and access files outside the intended root directory if those directories share a common prefix with the root. This could lead to unauthorized disclosure of files in sibling directories. The impact is limited by the requirement for authentication and the low confidentiality and integrity impact scores.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. There are no patch links provided in the available data. Until an official fix is released, administrators should consider restricting user access or monitoring SFTP usage carefully to detect potential abuse of this path traversal issue. Avoid relying solely on string prefix matching for path validation in custom configurations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-01-19T14:23:14.343Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69b3d90e2f860ef943bac728
Added to database: 3/13/2026, 9:29:50 AM
Last enriched: 4/14/2026, 4:03:49 PM
Last updated: 4/27/2026, 11:52:48 AM
Views: 82
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.