CVE-2026-45695
Kopia · Kopia
Kopia's HTTP server, when started without a password, is vulnerable to unauthenticated OS command injection via maliciously crafted SFTP storage configuration parameters.
Executive summary
An unauthenticated OS command injection vulnerability in Kopia, if configured without a password, allows remote attackers to execute arbitrary commands on the host system.
Vulnerability
The vulnerability occurs because the /api/v1/repo/exists endpoint lacks authentication when the server is started with the --without-password flag. Attackers can inject malicious arguments, specifically through the -oProxyCommand parameter, into the SSH command execution context, leading to arbitrary OS command injection.
Business impact
Successful exploitation allows an attacker to execute arbitrary code on the underlying host operating system with the privileges of the Kopia service. This leads to full system compromise, lateral movement within the network, and potential access to sensitive backup data. Given the CVSS score of 9.8, the risk to confidentiality, integrity, and availability is extreme.
Remediation
Immediate Action: Upgrade Kopia to version 0.23.0 or later immediately. Ensure that the Kopia server is never run with the --without-password flag in a production environment.
Proactive Monitoring: Review process execution logs for anomalous child processes spawned by the Kopia service. Monitor system logs for unauthorized access attempts to the /api/v1/repo/exists endpoint.
Compensating Controls: Use network-level access controls to restrict access to the Kopia HTTP interface to authorized internal management IP addresses only. Implement a firewall or reverse proxy to require authentication before reaching the Kopia API.
Exploitation status
Public Exploit Available: No (exploit_available: false)
Analyst recommendation
The ability to execute OS commands without authentication makes this a high-priority risk for any organization utilizing Kopia. Upgrading to version 0.23.0 is the only reliable method to eliminate this vulnerability. Organizations should audit their deployment configurations to ensure the --without-password flag is not in use.