{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45695/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["kopia (\u003c= 0.22.3)"],"_cs_severities":["critical"],"_cs_tags":["rce","vulnerability","command-injection","kopia","CVE-2026-45695"],"_cs_type":"advisory","_cs_vendors":["github"],"content_html":"\u003cp\u003eKopia is vulnerable to remote command execution (CVE-2026-45695) when its HTTP server is started without authentication (\u003ccode\u003e--without-password\u003c/code\u003e) and configured to use an SFTP backend with \u003ccode\u003eexternalSSH: true\u003c/code\u003e. This configuration flaw allows unauthenticated attackers to send a crafted HTTP request to the \u003ccode\u003e/api/v1/repo/exists\u003c/code\u003e endpoint. The vulnerability stems from the lack of proper input validation of \u003ccode\u003esshArguments\u003c/code\u003e within the SFTP storage configuration. An attacker can inject arbitrary commands by including \u003ccode\u003e-oProxyCommand=\u0026lt;cmd\u0026gt;\u003c/code\u003e in the \u003ccode\u003esshArguments\u003c/code\u003e. This leads to command execution as the Kopia process user due to how OpenSSH handles the \u003ccode\u003eProxyCommand\u003c/code\u003e option. This issue affects Kopia versions 0.22.3 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eKopia HTTP server is started without authentication using the \u003ccode\u003e--without-password\u003c/code\u003e flag.\u003c/li\u003e\n\u003cli\u003eThe server is configured to use an SFTP backend with \u003ccode\u003eexternalSSH: true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker sends an unauthenticated HTTP POST request to the \u003ccode\u003e/api/v1/repo/exists\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request contains a crafted JSON body with malicious \u003ccode\u003esshArguments\u003c/code\u003e including \u003ccode\u003e-oProxyCommand=\u0026lt;malicious_command\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s \u003ccode\u003ehandleUIPossiblyNotConnected\u003c/code\u003e function authorizes the request due to the missing authentication.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eblob.NewStorage\u003c/code\u003e function processes the attacker-supplied storage configuration.\u003c/li\u003e\n\u003cli\u003eWithin the SFTP backend logic, \u003ccode\u003eopt.SSHArguments\u003c/code\u003e are populated from the JSON request body.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esshArguments\u003c/code\u003e string is split on spaces and passed directly to \u003ccode\u003eexec.CommandContext(\u0026quot;ssh\u0026quot;, ...)\u003c/code\u003e without proper sanitization.\u003c/li\u003e\n\u003cli\u003eOpenSSH executes the injected command via \u003ccode\u003e$SHELL -c \u0026lt;malicious_command\u0026gt;\u003c/code\u003e before any TCP connection is attempted.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution as the Kopia process user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-45695 allows unauthenticated attackers to execute arbitrary commands on the Kopia server. There is no need for user interaction or valid credentials. The attacker gains the privileges of the Kopia process user, potentially leading to complete system compromise. The impact includes data exfiltration, system disruption, or further lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Kopia version 0.22.4 or later, which includes the fix described in \u003ca href=\"https://github.com/kopia/kopia/pull/5354\"\u003ehttps://github.com/kopia/kopia/pull/5354\u003c/a\u003e. This disables starting a server without a password that also listens on a non-loopback interface.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, ensure that the Kopia HTTP server is never started without authentication (\u003ccode\u003e--server-username\u003c/code\u003e or \u003ccode\u003e--server-password\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts of CVE-2026-45695.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the \u003ccode\u003e/api/v1/repo/exists\u003c/code\u003e endpoint with unusual \u003ccode\u003esshArguments\u003c/code\u003e in the request body.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T19:20:30Z","date_published":"2026-05-19T19:20:30Z","id":"https://feed.craftedsignal.io/briefs/2026-05-kopia-rce/","summary":"Kopia's HTTP server, when started without `--without-password`, accepts unauthenticated requests which can lead to arbitrary command execution as the Kopia process user via `-oProxyCommand` in `sshArguments` for SFTP backends with `externalSSH: true`. An attacker-supplied storage configuration is forwarded to `blob.NewStorage`, and the `sshArguments` are split on spaces and passed directly to `exec.CommandContext(\"ssh\")`, resulting in command injection.","title":"Kopia RCE via SSH ProxyCommand Injection (CVE-2026-45695)","url":"https://feed.craftedsignal.io/briefs/2026-05-kopia-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-45695","version":"https://jsonfeed.org/version/1.1"}