PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53422 Erlang CVE debrief

Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory. This issue arises from the SSH_FXP_REALPATH handler in ssh_sftpd calling relate_file_name/3 with Canonicalize=false, unlike other SFTP operation handlers. Consequently, .. components in the requested path can bypass the is_within_root/2 check without resolution. The un-canonicalized path then enters resolve_symlinks/2, which traverses the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths. An authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response varies depending on whether the target path exists on the host filesystem (SSH_FXP_NAME when the path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including sensitive files, directories, and mount points. The vulnerability leaks only the existence of paths, not file contents, credentials, or write access, but the information gained may assist further attacks when combined with other vulnerabilities.

Vendor
Erlang
Product
OTP
CVSS
LOW 2.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-02
Original CVE updated
2026-07-07
Advisory published
2026-07-02
Advisory updated
2026-07-07

Who should care

Erlang OTP users, particularly those using the ssh module, should be aware of this vulnerability and take necessary actions to mitigate it. They should assess their installations for exposure, apply patches or updates provided by Erlang, monitor for suspicious SFTP activity, and implement compensating controls such as restricting SFTP access. Additionally, reviewing and updating incident response plans is advisable to ensure preparedness in case of an exploit.

Technical summary

The SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the is_within_root/2 check without being resolved. The un-canonicalized path then enters resolve_symlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths. An authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path.

Defensive priority

Medium priority due to low CVSS score and limited impact.

Recommended defensive actions

  • Inventory and assess Erlang OTP installations for exposure.
  • Apply patches or updates provided by Erlang.
  • Monitor for suspicious SFTP activity.
  • Implement compensating controls, such as restricting SFTP access.
  • Review and update incident response plans.
  • Conduct regular security audits to identify potential vulnerabilities.
  • Enhance monitoring and detection capabilities for SFTP activity.

Evidence notes

The vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities. This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9. The CVE record was published on 2026-07-02T17:17:01.473Z and has not been modified since then.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T17:17:01.473Z and has not been modified since then. The NVD entry is currently Analyzed.