SFTP Command-Line Argument Limitation in OpenSSH by OpenSSH
CVE-2026-59997

4.2MEDIUM

Key Information:

Vendor

OpenBSD

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59997?

The OpenSSH software package, specifically its internal-sftp function, has a limitation where it only recognizes the first nine command-line arguments. This restriction can undermine the security properties of an SFTP connection, particularly when crucial security commands are not processed due to being beyond the threshold. Certain configurations that rely on these command-line options may inadvertently expose systems to vulnerabilities, highlighting a significant oversight in the handling of SFTP command-line inputs in versions prior to 10.4.

Affected Version(s)

OpenSSH 0 < 10.4

References

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.