CVE-2026-48827 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache MINA SSHD with the sshd-git bundle for SSH-based git repository access; developers and administrators of custom git-over-SSH solutions built on Apache MINA SSHD.

Technical summary

The sshd-git component of Apache MINA SSHD fails to validate paths in git operations (git-upload-pack, git-receive-pack, and others), enabling authenticated SSH users to traverse outside the configured git server root directory and access unauthorized repositories. The vulnerability is classified as CWE-22. Affected versions: all 2.x versions prior to 2.18.0; 3.0.0-M1 through 3.0.0-M3. Unaffected: any application not using sshd-git. Remediation: upgrade to 2.18.0 (2.x stream) or 3.0.0-M4 (3.0.0 milestone stream). The vendor emphasizes defense in depth for git server deployments.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade to Apache MINA SSHD 2.18.0 if using the 2.x sshd-git artifact
• If using 3.0.0 pre-release milestones, upgrade to 3.0.0-M4 or later
• Verify whether your application depends on org.apache.sshd:sshd-git; applications without this dependency are not affected
• Implement additional access controls governing git repository access and permitted operations, as filesystem layout and permissions alone are insufficient for a professional git server deployment
• Review SSH authentication configurations and restrict repository access to authorized users
• Monitor for anomalous git operations or access patterns outside expected repository paths

Evidence notes

CVE published 2026-06-01T09:16:20.307Z; modified 2026-06-01T11:16:25.697Z. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) identified by [email protected]. Vendor attribution derived from Apache mailing list reference and description content; vendor field marked low-confidence/needs-review in source corpus.

Official resources