HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48827Published Modified CNA apache

CVE-2026-48827: Apache MINA SSHD: Path traversal in org.apache.sshd:sshd-git

Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH access to git repositories outside the configured git server root directory. Applications are affected if they use org.apache.sshd:sshd-git. Applications not using sshd-git are not affected. Users are advised to upgrade affected applications to Apche MINA SSHD 2.18.0, which fixes the issue. The issue also is present in the pre-release milestones 3.0.0-M1 to 3.0.0-M3 for a new upcoming new major version 3.0.0. Again, applications are affected only if they use sshd-git. Upgrade affected applications to 3.0.0-M4. We would like to point out that a professional git server should not rely solely on file system layout and permissions, but should implement additional security controls to govern access to git repositories and operations allowed on particular git repositories.

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal vulnerability in the sshd-git component of Apache MINA SSHD allows authenticated SSH users to access git repositories outside the configured server root directory. The vulnerability is reachable over the network and requires only a low-privilege SSH account; no victim interaction is needed. Successful exploitation gives an attacker unauthorized read access to files and repositories outside the intended boundary, plus limited write capability. No upstream fix has been published yet; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle org.apache.sshd:sshd-git. Coverage applies to both the 2.x and 3.0.0 milestone release lines.

Available
Triage

HarborGuard scores this CVE at CVSS 7.1 (HIGH) and weights it further against each customer environment's compliance policy, surfacing findings to the team or inbox configured for that environment. Per-repository and per-pipeline triage views are available so the right owners can act without noise reaching unrelated teams.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle. The moment Apache MINA SSHD ships a patched release, a rebuilt image at the fixed version becomes available; for customers with auto-remediation enabled, HarborGuard will then run a regression test suite and open a PR against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The SSH service must be reachable over the network; an attacker contacts it remotely to initiate git operations.

  • AuthenticationRequired

    Any valid low-privilege SSH account is sufficient; no administrative credentials are needed.

  • Victim interactionNot required

    The attacker exploits the flaw directly through their own SSH session; no other user needs to take any action.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free; no race conditions or special environmental factors are required.

Blast Radius

  • Reads git repository contents outside the server root, including source code, configuration files, and secrets committed to out-of-scope repositories.
  • Writes or pushes malicious content into git repositories outside the intended boundary via git-receive-pack, corrupting history or injecting code.
  • Exposes the filesystem layout beyond the git root, giving the attacker a map for follow-on attacks against other services or stored credentials.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this advisory is active, and the CVE is matched against all images containing org.apache.sshd:sshd-git across customer registries and CI pipelines. Because no upstream patch exists yet, compensating controls are worth considering in the interim: network policy rules that restrict SSH access to the git service to known IP ranges or internal VPC segments, egress filtering to limit what the sshd-git process can reach, and additional access-control layers on the underlying git repositories rather than relying on filesystem layout alone. The moment Apache MINA SSHD publishes a fixed release (2.18.0 or 3.0.0-M4 or later), a patched-image rebuild becomes available on HarborGuard. For customers with auto-remediation enabled, that rebuild triggers a regression-test run and a PR opened against affected workloads, with median time from CVE-fix publication to merged patch PR around 90 minutes for HIGH-severity issues.

See how HarborGuard automates this
Affected packages
  • Apache Software Foundation / Apache MINA SSHD
    ≤ 2.17.1 · ≤ 3.0.0-M3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
References