SFTP Command-Line Argument Limitation in OpenSSH by OpenSSH
CVE-2026-59997
4.2MEDIUM
What is CVE-2026-59997?
The OpenSSH software package, specifically its internal-sftp function, has a limitation where it only recognizes the first nine command-line arguments. This restriction can undermine the security properties of an SFTP connection, particularly when crucial security commands are not processed due to being beyond the threshold. Certain configurations that rely on these command-line options may inadvertently expose systems to vulnerabilities, highlighting a significant oversight in the handling of SFTP command-line inputs in versions prior to 10.4.
Affected Version(s)
OpenSSH 0 < 10.4