Server-Side Request Forgery (SSRF) in otp - CVE-2026-48858
Published: July 2, 2026
otp
Detailed vulnerability description
The vulnerability allows a remote user to perform server-side request forgery against internal or third-party hosts.
The vulnerability exists due to improper control of a resource through its lifetime in ftp_internal:handle_command/3 when processing PASV responses in passive mode. A remote user can supply a crafted 227 response with an arbitrary IP address and port to perform server-side request forgery against internal or third-party hosts.
On affected operations, the client may read data from or send data to the redirected target instead of the FTP server. The issue affects the PASV path used with the default passive-mode configuration and does not affect the EPSV path.