CVE-2026-32147

{"id": "CVE-2026-32147", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-21T12:15:58.800", "references": [{"url": "https://cna.erlef.org/cves/CVE-2026-32147.html", "tags": ["Vendor Advisory"], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}, {"url": "https://github.com/erlang/otp/commit/28c5d5a6c5f873dc701b597276271763e7d1c004", "tags": ["Patch"], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}, {"url": "https://github.com/erlang/otp/security/advisories/GHSA-28jg-mw9x-hpm5", "tags": ["Vendor Advisory"], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}, {"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32147", "tags": ["Third Party Advisory"], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}, {"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions", "tags": ["Product"], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory.\n\nThe SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.\n\nAny authenticated SFTP user on a server configured with the root option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector.\n\nIf the SSH daemon runs as root, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15."}], "lastModified": "2026-05-21T17:37:07.480", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E37C60D4-5ECE-43AF-B778-AF1BA602B5F6", "versionEndExcluding": "26.2.5.20", "versionStartIncluding": "17.0"}, {"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53AEBB75-1DCB-4B04-9FA5-2821679CFD52", "versionEndExcluding": "27.3.4.11", "versionStartIncluding": "27.0"}, {"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D216AF1C-362E-4C48-B34E-64278BFBC676", "versionEndExcluding": "28.4.3", "versionStartIncluding": "28.0"}, {"criteria": "cpe:2.3:a:erlang:erlang\\/ssh:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AEAA2DA5-E7F4-4C25-AABC-6DEDD0984AE5", "versionEndExcluding": "5.1.4.15", "versionStartIncluding": "3.0.1"}, {"criteria": "cpe:2.3:a:erlang:erlang\\/ssh:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55BBE15D-87F3-4922-AEB8-8A2CAFF0EA6E", "versionEndExcluding": "5.2.11.7", "versionStartIncluding": "5.2"}, {"criteria": "cpe:2.3:a:erlang:erlang\\/ssh:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "964AE32A-19EB-4873-B4E1-E78B2DF3C628", "versionEndExcluding": "5.5.2", "versionStartIncluding": "5.5"}], "operator": "OR"}]}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}