CVE-2026-32147 Overview
CVE-2026-32147 is a Path Traversal vulnerability in the Erlang OTP SSH library, specifically within the ssh_sftpd module. The vulnerability allows an authenticated SFTP user to modify file attributes outside the configured chroot directory by exploiting improper path handling in the SFTP daemon.
The SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.
Critical Impact
Authenticated SFTP users can escape chroot restrictions to modify file attributes on arbitrary system files. If the SSH daemon runs as root, attackers can set the setuid bit on binaries, change ownership of sensitive files, or make system configuration files world-writable, enabling direct privilege escalation.
Affected Products
- Erlang/OTP versions 17.0 through 28.4.2 (ssh 3.01 through 5.5.2)
- Erlang/OTP versions 27.x prior to 27.3.4.11 (ssh prior to 5.2.11.7)
- Erlang/OTP versions 26.x prior to 26.2.5.20 (ssh prior to 5.1.4.15)
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-32147 published to NVD
- 2026-04-21 - Last updated in NVD database
Technical Details for CVE-2026-32147
Vulnerability Analysis
This vulnerability stems from a fundamental design flaw in how the Erlang OTP SFTP daemon handles file paths within chroot-configured environments. When a chroot root directory is configured via the root option, the daemon is expected to restrict all file operations to that directory boundary. However, the implementation fails to properly resolve and store the canonical path when creating file handles.
The vulnerability specifically affects two program routines: ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4 located in lib/ssh/src/ssh_sftpd.erl. When a file handle is created, the raw user-supplied path is preserved rather than the resolved chroot path. This becomes exploitable when the SSH_FXP_FSETSTAT operation is invoked, as it operates on the stored raw path rather than the intended chroot-restricted location.
The exploitation requires a specific condition: a target file must exist on the real filesystem at the same relative path as specified by the attacker. While this constraint limits some attack scenarios, it remains highly exploitable in typical server configurations where standard system paths are predictable.
Root Cause
The root cause lies in the improper path normalization within the ssh_sftpd module. The do_open/4 function stores file handles with the original user-provided path rather than the canonicalized path after chroot resolution. Subsequently, when handle_op/4 processes SSH_FXP_FSETSTAT requests, it uses this stored raw path for the actual filesystem operation, completely bypassing the chroot boundary that should have been enforced.
This represents a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) vulnerability where the security boundary is enforced inconsistently across different operations.
Attack Vector
The attack requires network access and valid SFTP authentication credentials. An attacker connects to a vulnerable Erlang OTP SSH server configured with the root option for chroot restriction.
The attack flow proceeds as follows: First, the attacker opens a file using a path that, when resolved relative to the real filesystem root rather than the chroot root, points to a sensitive target file. The daemon creates a file handle storing this unresolved path. The attacker then issues an SSH_FXP_FSETSTAT command on this handle to modify file attributes such as permissions, ownership, or timestamps.
When the SSH daemon runs as root (a common configuration), this enables direct privilege escalation. An attacker can set the setuid bit on binaries like /bin/bash, change ownership of /etc/passwd or /etc/shadow, or make critical configuration files world-writable.
For detailed technical implementation, refer to the GitHub Security Advisory GHSA-28jg-mw9x-hpm5.
Detection Methods for CVE-2026-32147
Indicators of Compromise
- Unexpected changes to file permissions, ownership, or timestamps on sensitive system files outside SFTP chroot directories
- SSH_FXP_FSETSTAT operations in SFTP logs targeting paths outside the configured root boundary
- Modified setuid bits on system binaries that should not have them
- File attribute changes on configuration files like /etc/passwd, /etc/shadow, or /etc/sudoers
Detection Strategies
- Monitor SFTP session logs for SSH_FXP_FSETSTAT operations with path traversal patterns (e.g., ../ sequences)
- Implement file integrity monitoring (FIM) on critical system files to detect unauthorized attribute modifications
- Deploy behavioral analysis to identify authenticated users attempting to access paths outside their chroot boundary
- Audit file permission changes across the system, particularly focusing on setuid/setgid bit modifications
Monitoring Recommendations
- Enable verbose logging on Erlang OTP SSH daemons to capture all SFTP operations including path details
- Configure alerts for any chmod, chown, or attribute modification events on sensitive system directories
- Implement continuous monitoring for privilege escalation indicators such as newly created setuid binaries
- Review Erlang/OTP version inventory across infrastructure to identify vulnerable deployments
How to Mitigate CVE-2026-32147
Immediate Actions Required
- Upgrade Erlang/OTP to patched versions: 28.4.3, 27.3.4.11, or 26.2.5.20 (corresponding ssh versions 5.5.3, 5.2.11.7, or 5.1.4.15)
- If immediate patching is not possible, avoid running the SSH daemon as root to limit privilege escalation impact
- Review SFTP user access and temporarily disable SFTP functionality on critical systems until patching is complete
- Audit recent file attribute changes on systems running vulnerable Erlang/OTP versions
Patch Information
The vulnerability has been addressed in the following Erlang/OTP releases:
- OTP 28.4.3 (ssh 5.5.3)
- OTP 27.3.4.11 (ssh 5.2.11.7)
- OTP 26.2.5.20 (ssh 5.1.4.15)
The fix ensures that file handles store the chroot-resolved path rather than the raw user-supplied path. For technical details on the patch implementation, refer to the GitHub OTP Commit.
Additional resources:
Workarounds
- Run the SSH daemon under a non-root user account to prevent privilege escalation via setuid bit manipulation
- Implement additional filesystem-level restrictions using SELinux or AppArmor policies to limit attribute modification capabilities
- Disable SFTP functionality if not required by configuring the SSH subsystem appropriately
- Use network segmentation to restrict SFTP access to trusted networks only
# Example: Running SSH daemon as non-root user (application-level)
# Modify your Erlang application configuration to drop privileges
# Example: Using filesystem ACLs to restrict attribute changes
# Protect critical directories from attribute modification
setfacl -R -m u:sftp_user:r-x /etc
setfacl -R -m u:sftp_user:r-x /usr/bin
# Example: AppArmor profile snippet to restrict file attribute changes
# /etc/apparmor.d/usr.lib.erlang.ssh_sftpd
# deny capability chown,
# deny capability fsetid,
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
