CVE-2026-45695: Kopia: RCE via SSH ProxyCommand Injection

May 19, 2026

Kopia’s HTTP server, when started with --without-password , accepts unauthenticated requests to /api/v1/repo/exists. The handler forwards an attacker-supplied storage configuration to blob.NewStorage. For SFTP backends with externalSSH: true, that path constructs a process command line by splitting sshArguments on spaces and passes the result directly to exec.CommandContext("ssh"). An -oProxyCommand=<cmd> token in sshArguments causes OpenSSH to invoke <cmd> via $SHELL -c before any TCP connection is attempted, giving the requester arbitrary command execution as the Kopia process user.

References

github.com/advisories/GHSA-2q4c-3mrw-63c3
github.com/kopia/kopia/pull/5354
github.com/kopia/kopia/security/advisories/GHSA-2q4c-3mrw-63c3
nvd.nist.gov/vuln/detail/CVE-2026-45695

Code Behaviors & Features

Detect and mitigate CVE-2026-45695 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →