CVE-2026-41589: Critical Path Traversal in Wish SSH Server SCP Middleware
The National Vulnerability Database has issued a critical advisory for CVE-2026-41589, affecting the SCP middleware in charm.land/wish/v2, an SSH server. Versions 2.0.0 through to prior to 2.0.1 are vulnerable to path traversal attacks, earning a CVSS score of 9.6 (CRITICAL). This isn’t theoretical; a malicious SCP client can weaponize crafted filenames containing ../ sequences.
Attackers can exploit this to read arbitrary files, write arbitrary files, and create directories outside the configured root on the server. This bypasses intended access controls and fundamentally compromises system integrity. The implications are severe: complete system compromise, data exfiltration, or persistent backdoor installation are all on the table.
The fix is straightforward: upgrade to version 2.0.1 immediately. The National Vulnerability Database confirms this patch addresses the path traversal flaw. For any organization running Wish as an SSH server, this is a non-negotiable update. Leaving this unpatched is an open invitation for a breach.
What This Means For You
- If your organization uses Wish as an SSH server, specifically `charm.land/wish/v2` versions 2.0.0 to 2.0.1, you are critically exposed. Patch to version 2.0.1 immediately. Audit your SSH server logs for any unusual file transfers or directory creations, particularly from untrusted SCP clients, as this indicates potential exploitation.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Credential Abuse from Breached Vendor — CVE-2026-41589
title: Credential Abuse from Breached Vendor — CVE-2026-41589
id: scw-2026-05-07-1
status: experimental
level: high
description: |
Monitor for authentication attempts using credentials from target.local, potentially exposed in the CVE-2026-41589 breach.
author: SCW Feed Engine (auto-generated)
date: 2026-05-07
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41589/
tags:
- attack.initial_access
- attack.t1078.004
logsource:
category: authentication
detection:
selection:
User|endswith:
- '@target.local'
condition: selection
falsepositives:
- Legitimate activity from CVE-2026-41589
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41589 | Vulnerability | CVE-2026-41589 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 07, 2026 at 17:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-44264 — Weblate is a web based localization tool. Prior to version
CVE-2026-44264 — Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't...
CVE-2026-44263 — Weblate is a web based localization tool. Prior to version
CVE-2026-44263 — Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of...
gnutls CVE-2026-42011: Certificate Validation Bypass Poses MITM Risk
CVE-2026-42011 — A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had...