External risk intelligence

Kopia HTTP Server Command Injection Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-45695

Kopia is a backup tool that can be run as a local utility or as an HTTP server. While the vulnerability exists in the HTTP server component when configured without authentication, this service is typically used for internal backup management rather than as a public-facing web service or edge gateway.

OS Command Injection

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in Kopia, a cross-platform backup tool, affecting its HTTP server component when it is not password-protected. This flaw could allow unauthenticated requests to execute arbitrary commands on affected systems. The main concern at this time is confirming if this specific Kopia configuration is in use within our environment.

  • Unauthenticated Kopia server can run commands.
  • Important if using unauthenticated Kopia server.
  • Confirm if unauthenticated Kopia server is used.

Attack Path

How an attacker could exploit the issue

An attacker could exploit Kopia's HTTP server, when run without a password, by sending unauthenticated requests to a specific API endpoint. This allows them to supply a malicious SFTP storage configuration. When Kopia processes this configuration, it can be tricked into executing arbitrary commands on the server due to how it handles SSH arguments, potentially leading to full system compromise.

  • Unauthenticated network access required.
  • Attacker controls SSH arguments in configuration.
  • Leads to arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

When Kopia's HTTP server is started without a password, unauthenticated requests can be forwarded to the SFTP storage configuration. This could allow an attacker to execute arbitrary commands on the system running Kopia by leveraging specially crafted SSH arguments.

  • Backup configurations and system access.
  • Unauthenticated HTTP requests to the server.
  • Arbitrary command execution on the host.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Kopia HTTP server, particularly when configured without a password, is susceptible to unauthenticated requests that could lead to command execution. System owners and platform teams responsible for Kopia deployments should prioritize identifying instances of this HTTP server, assessing their exposure, and determining the accountable application or service owner. The immediate first step involves confirming the presence and reachability of the Kopia HTTP server, followed by a risk-based remediation plan.

  • Application owners should verify Kopia HTTP server instances.
  • Confirm reachability and business criticality first.
  • Plan remediation based on identified risks.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Kopia?

Kopia is a cross-platform software tool used for backing up data on Windows, macOS, and Linux systems. It supports fast incremental backups, data deduplication, compression, and end-to-end encryption. Beyond its command-line capabilities, Kopia can also be deployed as an HTTP server to manage backup repositories and storage configurations remotely.

What does CWE-78 and CWE-306 mean for CVE-2026-45695?

This vulnerability involves two main weaknesses. CWE-306 refers to the lack of authentication, which allows anyone to access the HTTP server. Once inside, the system falls victim to CWE-78, or OS command injection. Because the software does not properly validate user-provided input, an attacker can supply malicious instructions that the server unintentionally runs as system commands.

How can an attacker trigger this command injection?

The vulnerability is triggered when the Kopia HTTP server is started with the --without-password flag. An attacker can then send an unauthenticated request to the repository API and inject malicious SSH arguments into the storage configuration. Importantly, this attack path requires the server to be running without authentication; standard password-protected instances are not susceptible to this specific request flow.

Is my environment at risk from this Kopia vulnerability?

According to Halo Surface Signal, this risk depends on your deployment architecture. Kopia is often used as a local utility or an internal backup manager rather than a public-facing web service. If you host an instance where the HTTP server is reachable from an untrusted network or the internet without password protection, your risk level is significantly higher than for instances strictly confined to internal, trusted networks.

What should I do to secure my Kopia installation?

The most effective way to address this issue is to upgrade to Kopia version 0.23.0 or later, which contains the necessary security fixes. As an immediate step, verify all running Kopia HTTP server instances in your environment. If you cannot update immediately, ensure the server is not running with the --without-password flag and restrict network access to the service to prevent unauthorized requests.

References