Zurück zur CVE-Übersicht
CVE-2026-45695
CRITICAL(9.8)CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Risk Signal Score35/100 — MITTEL
- CVSS 9.8 — Kritisch
- Weniger als 24 Stunden alt
Beschreibung
Kopia is a cross-platform backup tool for Windows, macOS, and Linux with fast incremental backups, client-side end-to-end encryption, compression, and data deduplication. Prior to 0.23.0, Kopia's HTTP server started with --without-password accepts unauthenticated requests to /api/v1/repo/exists and forwards attacker-supplied SFTP storage configuration to blob.NewStorage, where externalSSH: true and sshArguments containing -oProxyCommand=<cmd> can cause exec.CommandContext("ssh") to invoke the command through OpenSSH. This issue is fixed in version 0.23.0.
GitHub Advisories
GHSA-2q4c-3mrw-63c3CRITICAL
Kopia: RCE via SSH ProxyCommand Injection
go/github.com/kopia/kopia→ 0.23.0
GitHub Advisory