CVE-2026-48855: Erlang OTP SSH Path Disclosure via Symlink Enumeration
A vulnerability in Erlang OTP's SSH file transfer module allows authenticated SFTP users to discover the absolute filesystem path of the server's SFTP root directory. When a user creates a symbolic link pointing outside the intended chroot jail, the server incorrectly reveals the backend absolute path instead of the restricted path visible to the client. This leaks infrastructure information—specifically filesystem paths—but does not expose file contents, credentials, or permit access beyond the intended boundary.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery. The SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /. The information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The ssh_sftpd module's SSH_FXP_READLINK handler fails to sanitize symlink targets through the chroot_filename/2 function before returning results to the client. When an authenticated attacker creates a symlink within the chroot pointing to /, the SFTP daemon resolves it to the absolute backend root path, persists that path, and returns it unfiltered via SSH_FXP_READLINK. This direct path disclosure bypasses the intended chroot abstraction layer, leaking the actual mount point or root directory location (e.g., /data/sftp) to any authenticated user.
Business impact
The exposure is limited to filesystem path enumeration and does not provide file access or credential theft. However, detailed knowledge of backend filesystem layout increases reconnaissance value for attackers planning further attacks. Organizations relying on chroot obscurity for defense-in-depth or running multi-tenant SFTP environments may face information leakage that violates data classification or compliance policies. The impact is moderate unless the exposed paths reveal sensitive infrastructure details tied to other systems.
Affected systems
Erlang OTP versions 17.0 through versions before 27.3.4.13, 28.5.0.2, and 29.0.2 are affected. In terms of SSH module versions, this impacts ssh 3.0.1 through versions before 5.2.11.8, 5.5.2.1, and 6.0.1. Any deployment using vulnerable OTP or SSH library versions with SFTP enabled and relying on chroot for tenant isolation or path obscurity is in scope.
Exploitability
Exploitation requires valid SFTP credentials—no unauthenticated access is possible. The attack is straightforward: create a symlink inside the chroot, then read it back to obtain the absolute path. The CVSS 3.1 score of 6.5 (Medium) reflects authentication as a prerequisite and confidentiality impact without integrity or availability damage. No known public exploits are documented in the CISA KEV catalog. The low complexity and ease of reproduction once authenticated make this a practical post-compromise reconnaissance vector.
Remediation
Update to patched versions: OTP 29.0.2 or later, OTP 28.5.0.2, or OTP 27.3.4.13 and corresponding SSH module versions 6.0.1 or later, 5.5.2.1, or 5.2.11.8. Verify patch versions against Erlang OTP release notes and vendor advisories before deployment. Interim mitigations include restricting SFTP user populations, disabling symlink support if operationally feasible, or monitoring for suspicious symlink creation and SSH_FXP_READLINK queries on sensitive paths.
Patch guidance
Erlang OTP patches are distributed through the official Erlang Solutions repository and GitHub. Organizations should: (1) identify current OTP and SSH versions in production via erlang:system_info(otp_release) and ssh:module_info(attributes); (2) consult the Erlang OTP security advisory for precise version mappings and availability; (3) test patches in staging environments that replicate chroot and multi-tenant configurations; (4) schedule updates prioritizing systems with untrusted or high-privilege SFTP users; (5) verify successful patching by checking that symlink path resolution returns chrooted paths, not absolute backend paths.
Detection guidance
Monitor SFTP audit logs for: (1) creation of symlinks with targets pointing to / or .. sequences within chroot directories; (2) SSH_FXP_READLINK operations on recently created symlinks; (3) client parsing of absolute paths in SSH_FXP_NAME responses when chrooted paths are expected. Correlate SFTP activity logs with SSH server debug logs (if enabled at DEBUG level) to identify reconnaissance patterns. Inspect any symlinks lingering in SFTP directories post-incident, as they may serve as evidence of reconnaissance activity. Endpoint detection should flag unexpected readlink/symlink syscall sequences on SFTP root mount points.
Why prioritize this
This vulnerability merits medium-priority patching due to its pre-authentication requirement and limited direct impact. However, organizations with strict data classification rules, compliance frameworks (PCI-DSS, HIPAA) governing data residency, or multi-tenant SFTP services should elevate priority. The path disclosure can serve as a pivot point for lateral movement if the exposed filesystem layout reveals co-located services. Systems with public-facing SFTP and diverse user bases warrant faster patching than internal-only or single-tenant deployments.
Risk score, explained
The CVSS 3.1 base score of 6.5 (Medium) balances authenticated-only access (PR:L) against high confidentiality impact (C:H) with no integrity or availability harm. The score does not account for environmental factors such as multi-tenancy, compliance obligations, or downstream reconnaissance risk. Organizations should adjust the score upward if their threat model treats infrastructure path disclosure as a critical reconnaissance enabler or if compliance requirements prohibit any information leakage.
Frequently asked questions
Can an unauthenticated attacker exploit this?
No. The vulnerability requires valid SFTP credentials. An attacker without login credentials cannot create symlinks or trigger the path disclosure.
Does this vulnerability allow reading files outside the chroot?
No. The flaw discloses the absolute path of the SFTP root directory itself, not access to files. Chroot boundaries remain enforced; only the backend path label is leaked.
Which organizations should patch first?
Multi-tenant SFTP providers, organizations subject to strict data residency or compliance audits, and those where SFTP users are untrusted or high-risk should prioritize patching. Single-tenant, internal-only deployments are lower risk but should still update within standard patch cycles.
Is there a workaround if we can't patch immediately?
Temporary mitigations include restricting SFTP access to trusted users, disabling symlink creation if not required, or monitoring for symlink creation and SSH_FXP_READLINK activity. However, these are not substitutes for patching.
This analysis is for informational purposes. CVSS scores and affected versions are derived from official CVE data; verify all patch details and version mappings against vendor security advisories before deployment. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct their own risk assessment and testing in isolated environments prior to applying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10254MEDIUMUnauthenticated Information Disclosure in SourceCodester Pet Grooming Software
- CVE-2026-10854MEDIUMMISP Galaxy Visibility Control Bypass – Unauthorized Private Metadata Access
- CVE-2026-10864MEDIUMMISP Dashboard Widget Field Filtering Bypass (Medium)
- CVE-2026-11162MEDIUMChrome CSS Cross-Origin Data Leak Vulnerability
- CVE-2026-11168MEDIUMChrome Extension Memory Disclosure Vulnerability
- CVE-2026-11180MEDIUMChrome SVG Cross-Origin Data Leak – Patch & Mitigation Guide
- CVE-2026-11182MEDIUMChrome SVG Cross-Origin Data Leak Vulnerability
- CVE-2026-11203MEDIUMChrome GPU Isolation Bypass on macOS Allows Cross-Origin Data Leak