OpenSSH <=10.3 internal-sftp accepts only first 9 args
CVE-2026-59997 Published on July 8, 2026
internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.
Vulnerability Analysis
CVE-2026-59997 can be exploited with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
Improper Validation of Specified Quantity in Input
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Products Associated with CVE-2026-59997
Want to know whenever a new CVE is published for OpenBSD OpenSSH? stack.watch will email you.
Affected Versions
OpenBSD OpenSSH:- Before 10.4 is affected.