Path Traversal Vulnerability in Apache MINA SSHD Affecting Git Operations
CVE-2026-48827

7.1HIGH

Key Information:

Vendor: Apache
Status: Apache Mina Sshd
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-48827?

A path traversal vulnerability exists in the Apache MINA SSHD bundle, specifically within the sshd-git implementation. This vulnerability arises due to insufficient path validation in functions like git-upload-pack and git-receive-pack, potentially allowing authenticated users over SSH to access git repositories situated outside the designated git server root directory. Affected applications need immediate upgrading to either Apache MINA SSHD version 2.18.0 or the newer milestone version 3.0.0-M4 to rectify this issue. Additionally, it is recommended to implement robust security measures that go beyond relying solely on file system settings to control access to git repositories.

Affected Version(s)

Apache MINA SSHD 2.0.0 <= 2.17.1

Apache MINA SSHD 3.0.0-M1 <= 3.0.0-M3

References

https://lists.apache.org/thread/910kq9ghm6js0k1yhhbrdm9sf...

vendor-advisory

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 23, 2026

Credit

j0hndo (dohyun4466@gmail.com)

CVE-2026-48827 Data

JSON