CVE-2026-45695

Kopia · Kopia

Kopia's HTTP server, when started without a password, is vulnerable to unauthenticated OS command injection via maliciously crafted SFTP storage configuration parameters.

Executive summary

An unauthenticated OS command injection vulnerability in Kopia, if configured without a password, allows remote attackers to execute arbitrary commands on the host system.

Vulnerability

The vulnerability occurs because the /api/v1/repo/exists endpoint lacks authentication when the server is started with the --without-password flag. Attackers can inject malicious arguments, specifically through the -oProxyCommand parameter, into the SSH command execution context, leading to arbitrary OS command injection.

Business impact

Successful exploitation allows an attacker to execute arbitrary code on the underlying host operating system with the privileges of the Kopia service. This leads to full system compromise, lateral movement within the network, and potential access to sensitive backup data. Given the CVSS score of 9.8, the risk to confidentiality, integrity, and availability is extreme.

Remediation

Immediate Action: Upgrade Kopia to version 0.23.0 or later immediately. Ensure that the Kopia server is never run with the --without-password flag in a production environment.

Proactive Monitoring: Review process execution logs for anomalous child processes spawned by the Kopia service. Monitor system logs for unauthorized access attempts to the /api/v1/repo/exists endpoint.

Compensating Controls: Use network-level access controls to restrict access to the Kopia HTTP interface to authorized internal management IP addresses only. Implement a firewall or reverse proxy to require authentication before reaching the Kopia API.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

The ability to execute OS commands without authentication makes this a high-priority risk for any organization utilizing Kopia. Upgrading to version 0.23.0 is the only reliable method to eliminate this vulnerability. Organizations should audit their deployment configurations to ensure the --without-password flag is not in use.