Observable Response Discrepancy in otp - CVE-2026-53422

 

Observable Response Discrepancy in otp - CVE-2026-53422

Published: July 2, 2026


Vulnerability identifier: #VU136828
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-53422
CWE-ID: CWE-204
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: erlang
Affected software:
otp

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information about filesystem path existence.

The vulnerability exists due to observable response discrepancy in the ssh_sftpd SSH_FXP_REALPATH handler when processing a crafted traversal path in a REALPATH request. A remote user can send a specially crafted REALPATH request to disclose sensitive information about filesystem path existence.

The issue affects deployments that rely on the configured root option for filesystem path isolation, and it does not by itself provide file contents disclosure or write access.


How to mitigate CVE-2026-53422

Install security update from vendor's website.

Sources