Path Traversal Vulnerability in Erlang OTP's SFTP Module
CVE-2026-23942

5.3MEDIUM

Key Information:

Vendor: Erlang
Status: Otp
Vendor: CVE Published:; 13 March 2026

What is CVE-2026-23942?

The vulnerability in Erlang OTP's SFTP server arises from inadequate path component validation when determining if a specified path is within the permitted root directory. Instead of properly verifying path components, the server erroneously relies on prefix matching, allowing authenticated users to potentially traverse outside the intended directory structure. This weakness enables access to adjacent directories with similar names, which can expose sensitive files or lead to unauthorized actions, compromising the overall security of the system.

Affected Version(s)

OTP 3.0.1

OTP 17.0

OTP 0

References

https://github.com/erlang/otp/security/advisories/GHSA-47...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-23942.html

https://osv.dev/vulnerability/EEF-CVE-2026-23942

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2026
Vulnerability Reserved
Jan 19, 2026

Credit

Luigino Camastra / Aisle Research

Jakub Witczak

Michał Wąsowski

CVE-2026-23942 Data

JSON