CVE-2026-48855: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Erlang OTP
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery. The SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /. The information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.
AI Analysis
Technical Summary
The vulnerability in Erlang OTP ssh_sftpd module (CVE-2026-48855) involves the SSH_FXP_READLINK handler returning the absolute backend root path when reading symlinks, due to not calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to the root directory (/), causing ssh_sftpd to resolve and store the absolute backend path. Reading this symlink returns the absolute path (e.g., /data/sftp) instead of the chrooted path (/). This leads to exposure of sensitive information about the absolute filesystem paths within the SFTP root directory. The vulnerability does not allow access to file contents, credentials, or paths outside the root directory. It affects OTP versions from 17.0 before 29.0.2, 28.5.0.2, and 27.3.4.13, and ssh versions from 3.0.1 before 6.0.1, 5.5.2.1, and 5.2.11.8.
Potential Impact
The impact is limited to disclosure of absolute filesystem paths within the SFTP root directory to an authenticated SFTP client. No file contents, credentials, or unauthorized access outside the root directory are exposed by this vulnerability. This information disclosure could aid an attacker in understanding the server's directory structure but does not directly compromise data confidentiality or integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch links are provided, users should monitor Erlang OTP vendor advisories for updates. In the meantime, restrict SFTP client authentication to trusted users to limit exposure. No other specific mitigations are indicated by the available data.
CVE-2026-48855: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Erlang OTP
Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery. The SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /. The information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.
CVSS v4.0
Score 2.3low
Affected software
pkg:github/erlang/otpcpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Erlang OTP ssh_sftpd module (CVE-2026-48855) involves the SSH_FXP_READLINK handler returning the absolute backend root path when reading symlinks, due to not calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to the root directory (/), causing ssh_sftpd to resolve and store the absolute backend path. Reading this symlink returns the absolute path (e.g., /data/sftp) instead of the chrooted path (/). This leads to exposure of sensitive information about the absolute filesystem paths within the SFTP root directory. The vulnerability does not allow access to file contents, credentials, or paths outside the root directory. It affects OTP versions from 17.0 before 29.0.2, 28.5.0.2, and 27.3.4.13, and ssh versions from 3.0.1 before 6.0.1, 5.5.2.1, and 5.2.11.8.
Potential Impact
The impact is limited to disclosure of absolute filesystem paths within the SFTP root directory to an authenticated SFTP client. No file contents, credentials, or unauthorized access outside the root directory are exposed by this vulnerability. This information disclosure could aid an attacker in understanding the server's directory structure but does not directly compromise data confidentiality or integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch links are provided, users should monitor Erlang OTP vendor advisories for updates. In the meantime, restrict SFTP client authentication to trusted users to limit exposure. No other specific mitigations are indicated by the available data.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-25T20:44:10.697Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a298ad7c9170919df36742c
Added to database: 6/10/2026, 4:03:35 PM
Last enriched: 6/10/2026, 4:19:29 PM
Last updated: 6/10/2026, 6:17:53 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.