EXECUTIVE SUMMARY:
CVE-2026-45695 with a CVSS score of 9.8 is a critical remote code execution vulnerability in Kopia's HTTP server. The affected software is the go/github.com/kopia/kopia package, specifically versions <= 0.22.3. The vulnerability occurs when the server is started without a password, allowing unauthenticated requests to the `/api/v1/repo/exists` endpoint, which forwards an attacker-supplied storage configuration to `blob.NewStorage`. For SFTP backends with `externalSSH: true`, an attacker can inject arbitrary commands via the SSH ProxyCommand by crafting a malicious `sshArguments` string, which is executed by OpenSSH before any TCP connection is attempted, granting the requester arbitrary command execution as the Kopia process user. An attacker can exploit this vulnerability without user interaction or valid credentials, sending a single HTTP request, and gain the capability to execute arbitrary system commands. If exploited, this vulnerability can have significant business impacts, including data breaches, system compromise, and loss of sensitive information. Prerequisites for exploitation include the ability to send a crafted HTTP request to the vulnerable server.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45695 with a CVSS score of 9.8 is a critical remote code execution vulnerability in Kopia's HTTP server. The affected software is the go/github.com/kopia/kopia package, specifically versions <= 0.22.3. The vulnerability occurs when the server is started without a password, allowing unauthenticated requests to the `/api/v1/repo/exists` endpoint, which forwards an attacker-supplied storage configuration to `blob.NewStorage`. For SFTP backends with `externalSSH: true`, an attacker can inject arbitrary commands via the SSH ProxyCommand by crafting a malicious `sshArguments` string, which is executed by OpenSSH before any TCP connection is attempted, granting the requester arbitrary command execution as the Kopia process user. An attacker can exploit this vulnerability without user interaction or valid credentials, sending a single HTTP request, and gain the capability to execute arbitrary system commands. If exploited, this vulnerability can have significant business impacts, including data breaches, system compromise, and loss of sensitive information. Prerequisites for exploitation include the ability to send a crafted HTTP request to the vulnerable server.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-2q4c-3mrw-63c3