External risk intelligence

Attackers can read or write any files on systems using Wish SSH server

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-41589

A critical flaw in the Wish SSH server lets attackers read or write any file, potentially exposing sensitive data or letting them alter systems. This needs immediate attention because SSH servers are often internet-facing.

4Halo Surface Signal

Path Traversal

Charm Wish

2.0.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-41589

The vulnerability affects an SSH server component. SSH services are frequently exposed to the internet to facilitate remote management, file transfers, and secure access, representing a common internet-facing deployment pattern for this class of software.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the Wish SSH server allows an attacker to read or write arbitrary files on the server, potentially leading to data theft or system compromise. This issue is concerning because it can be exploited remotely with limited access.

  • Attackers can steal sensitive files.
  • Attackers can modify or delete critical data.
  • Affects the SCP file transfer functionality.

Attack Path

How an attacker could exploit the issue

An attacker with low-privileged access to a vulnerable Wish SSH server can exploit this path traversal flaw to read or write any file on the server. They achieve this by sending specially crafted filenames over SCP that bypass the intended directory restrictions. This allows them to potentially steal sensitive data or inject malicious files.

  • Requires authenticated access.
  • Targets the SCP middleware.
  • Uses crafted filenames for traversal.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Wish's SCP middleware allows an attacker to read and write arbitrary files on the server and create directories outside the intended scope. Given that SCP operates over SSH, which is a common protocol for remote server management and file transfer, this type of path traversal could be appealing for attackers seeking to gain unauthorized access or modify sensitive data on exposed systems.

  • Path traversal allows arbitrary file access.
  • SSH servers are common internet targets.
  • Patch released soon after discovery.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Wish versions prior to 2.0.1 due to the critical path traversal vulnerability. If patching is not immediately feasible, isolate affected services to prevent unauthorized file access and modification. Review logs for any signs of compromise that may have occurred before mitigation.

  • Update Wish to 2.0.1 or later.
  • Isolate affected services if patching is delayed.
  • Monitor logs for suspicious SCP activity.

Frequently asked questions

What is the Wish SSH server and what is it used for?

Wish is an SSH server that includes default settings and various middlewares. It's used for secure remote connections and file transfers, often acting as a gateway for accessing and managing systems remotely.

How does CVE-2026-41589 impact Wish SSH server's security?

CVE-2026-41589 is a path traversal vulnerability. This means an attacker can trick the SCP middleware into accessing files and directories outside of its intended scope by using specially crafted filenames containing sequences like '../'.

What are the preconditions for an attacker to exploit CVE-2026-41589?

An attacker needs authenticated access to a vulnerable Wish SSH server. They then send crafted filenames through the SCP protocol, which triggers the path traversal flaw. Normal SCP file transfers do not trigger this bug.

Who should be concerned about this Wish SSH server vulnerability?

Organizations that use the Wish SSH server, especially those with internet-facing instances, should be concerned. This is because SSH servers are often exposed to the internet for remote access, making them potential targets for unauthorized file access and modification.

What is the first step to address CVE-2026-41589 in Wish SSH?

The primary action is to update the Wish SSH server to version 2.0.1 or later, as this version includes a fix for the path traversal vulnerability. If an immediate update isn't possible, isolating the affected service can help prevent unauthorized access.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified