{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sshd/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":4.2,"id":"CVE-2026-59997"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenSSH sshd internal-sftp \u003c 10.4"],"_cs_severities":["medium"],"_cs_tags":["vulnerability","openssh","sshd","sftp","linux","macos"],"_cs_type":"advisory","_cs_vendors":["OpenSSH"],"content_html":"\u003cp\u003eThe CVE-2026-59997 vulnerability affects the \u003ccode\u003einternal-sftp\u003c/code\u003e component of OpenSSH's \u003ccode\u003esshd\u003c/code\u003e service in versions prior to 10.4. This flaw stems from a critical limitation where \u003ccode\u003esshd\u003c/code\u003e only recognizes and processes the first nine command-line arguments passed to \u003ccode\u003einternal-sftp\u003c/code\u003e. This is problematic because \u003ccode\u003einternal-sftp\u003c/code\u003e relies on specific command-line arguments to enforce various security properties and configurations, such as chroot environments or specific permission settings. If crucial security-related arguments are positioned beyond the ninth argument, they will be silently ignored, potentially leading to a bypass of intended security controls. This could result in unintended directory access, file manipulation capabilities, or other deviations from the desired secure SFTP connection parameters, exposing systems to increased risk. Defenders should prioritize patching OpenSSH to version 10.4 or later to mitigate this configuration bypass vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003e(No specific attack chain is provided in the source for this vulnerability. It describes a configuration flaw, not an exploitation sequence.)\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-59997 is the potential circumvention of intended security configurations within SFTP connections. If an organization has implemented \u003ccode\u003einternal-sftp\u003c/code\u003e with advanced security settings, such as chroot jails or restrictive permissions, and these settings are controlled by command-line arguments positioned beyond the ninth argument, those critical controls would be effectively nullified. This could lead to unauthorized access to files or directories outside the intended restricted environment, compromise data integrity, or allow an attacker to gain a foothold for further exploitation. While not a direct remote code execution vulnerability, its successful exploitation could expose sensitive data or facilitate broader system compromise depending on the specific security property that is bypassed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch OpenSSH to version 10.4 or later immediately to address CVE-2026-59997.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T07:39:33Z","date_published":"2026-07-09T07:39:33Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openssh-internal-sftp-vulnerability/","summary":"CVE-2026-59997 describes a vulnerability in the internal-sftp component of OpenSSH's sshd service, affecting versions before 10.4, where the service only processes the first nine command-line arguments, potentially leading to a bypass of security controls or unintended configuration.","title":"OpenSSH internal-sftp Vulnerability (CVE-2026-59997) Allows Security Property Bypass","url":"https://feed.craftedsignal.io/briefs/2026-07-openssh-internal-sftp-vulnerability/"}],"language":"en","title":"CraftedSignal Threat Feed - Sshd","version":"https://jsonfeed.org/version/1.1"}