PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45695 kopia CVE debrief

CVE-2026-45695 is a critical vulnerability in Kopia, a cross-platform backup tool. Prior to version 0.23.0, Kopia's HTTP server started with --without-password accepts unauthenticated requests to /api/v1/repo/exists. This allows an attacker to supply SFTP storage configuration, which can lead to command injection through OpenSSH. The issue is fixed in version 0.23.0. The vulnerability has a CVSS score of 9.8 and a severity of CRITICAL. Affected product deployments should be reviewed, and owners should be assigned for follow-up. The official advisory and CVE record should be reviewed to validate affected scope, severity, and vendor guidance.

Vendor
kopia
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of Kopia, especially those using versions prior to 0.23.0, should be aware of this vulnerability and take immediate action to upgrade or apply mitigations. Affected operators include Kopia users, administrators, and security teams. The vulnerability affects the Kopia platform and has a high impact on security teams due to its critical severity and potential for command injection.

Technical summary

Kopia's HTTP server, when started with --without-password, does not require authentication for requests to /api/v1/repo/exists. This endpoint is used to check the existence of a repository. An attacker can exploit this by supplying a malicious SFTP storage configuration, which can include externalSSH: true and sshArguments containing -oProxyCommand=<cmd>. This can cause the exec.CommandContext('ssh') to invoke an arbitrary command through OpenSSH. The vulnerability is characterized by a CVSS score of 9.8 and a severity of CRITICAL. The issue is fixed in version 0.23.0.

Defensive priority

High

Recommended defensive actions

  • Upgrade Kopia to version 0.23.0 or later
  • Implement authentication for the HTTP server
  • Restrict access to the /api/v1/repo/exists endpoint
  • Monitor for suspicious activity on the Kopia server
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-16T16:19:08.307Z and last modified on 2026-07-16T19:16:45.527Z. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide specific details about the vulnerability, but it mentions that the issue is fixed in version 0.23.0. Defenders should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T16:19:08.307Z and has not been modified since then. The NVD entry is currently Deferred.