Main Vulnerability Database Vulnerabilities #VU126652

Path traversal in otp - CVE-2026-32147

Published: April 21, 2026

Vulnerability identifier: #VU126652

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-32147

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: erlang

Affected software:
otp

Detailed vulnerability description

The vulnerability allows a remote user to modify file attributes outside the intended chroot boundary.

The vulnerability exists due to path traversal in the ssh_sftpd SFTP daemon when handling SSH_FXP_FSETSTAT on file handles created from user-supplied paths. A remote user can create a corresponding path inside the chroot and issue a crafted SSH_FXP_FSETSTAT request to modify file attributes outside the intended chroot boundary.

Only servers configured with the root option are vulnerable, and the target file must already exist on the real filesystem. File contents cannot be read or modified through this issue.

How to mitigate CVE-2026-32147

Install security update from vendor's website.

Sources

https://github.com/erlang/otp/security/advisories/GHSA-28jg-mw9x-hpm5

Path traversal in otp - CVE-2026-32147

Detailed vulnerability description

How to mitigate CVE-2026-32147

Sources

Please verify you're human