PatchSiren cyber security CVE debrief
CVE-2026-45695 kopia CVE debrief
CVE-2026-45695 is a critical vulnerability in Kopia, a cross-platform backup tool. Prior to version 0.23.0, Kopia's HTTP server started with --without-password accepts unauthenticated requests to /api/v1/repo/exists. This allows an attacker to supply SFTP storage configuration, which can lead to command injection through OpenSSH. The issue is fixed in version 0.23.0. The vulnerability has a CVSS score of 9.8 and a severity of CRITICAL. Affected product deployments should be reviewed, and owners should be assigned for follow-up. The official advisory and CVE record should be reviewed to validate affected scope, severity, and vendor guidance.
- Vendor
- kopia
- Product
- Unknown
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of Kopia, especially those using versions prior to 0.23.0, should be aware of this vulnerability and take immediate action to upgrade or apply mitigations. Affected operators include Kopia users, administrators, and security teams. The vulnerability affects the Kopia platform and has a high impact on security teams due to its critical severity and potential for command injection.
Technical summary
Kopia's HTTP server, when started with --without-password, does not require authentication for requests to /api/v1/repo/exists. This endpoint is used to check the existence of a repository. An attacker can exploit this by supplying a malicious SFTP storage configuration, which can include externalSSH: true and sshArguments containing -oProxyCommand=<cmd>. This can cause the exec.CommandContext('ssh') to invoke an arbitrary command through OpenSSH. The vulnerability is characterized by a CVSS score of 9.8 and a severity of CRITICAL. The issue is fixed in version 0.23.0.
Defensive priority
High
Recommended defensive actions
- Upgrade Kopia to version 0.23.0 or later
- Implement authentication for the HTTP server
- Restrict access to the /api/v1/repo/exists endpoint
- Monitor for suspicious activity on the Kopia server
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-16T16:19:08.307Z and last modified on 2026-07-16T19:16:45.527Z. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide specific details about the vulnerability, but it mentions that the issue is fixed in version 0.23.0. Defenders should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T16:19:08.307Z and has not been modified since then. The NVD entry is currently Deferred.