Critical RCE Vulnerabilities in Backup and CMS Infrastructure: Unauthenticated Exploits in Kopia and TYPO3
- May 24
- 2 min read
Key Findings
Critical unauthenticated remote code execution flaw in Kopia backup server HTTP implementation tracked as CVE-2026-45695 with CVSS score of 9.8
Vulnerability stems from improper command argument parsing in SSH backend handling without input validation or quote handling
Attack exploits SSH ProxyCommand injection via the /api/v1/repo/exists endpoint when server runs with --without-password flag
Requires only single HTTP request with no user interaction to achieve full command execution as Kopia process user
Versions 0.22.3 and earlier are vulnerable; patch available in version 0.23.0 and above
Separate critical flaw in TYPO3 Content Element Selector extension (CVE-2026-46725, CVSS 9.2) uses insecure PHP deserialization for unauthenticated RCE
Background
Kopia has established itself as a popular open-source tool for creating secure data snapshots and backups. Its HTTP server implementation allows administrators to expose backup functionality across networks. However, researchers recently discovered that this accessibility comes with a dangerous security cost when the server is configured to accept unauthenticated requests.
How the SSH ProxyCommand Injection Works
The vulnerability originates in how Kopia processes backend storage configuration requests. When administrators enable the --without-password flag, the HTTP server accepts unauthenticated API calls to specific endpoints. An attacker can send malicious payloads directly to the /api/v1/repo/exists handler without any credentials.
The server then forwards this user-supplied storage configuration directly to the backend system. If that backend uses SFTP with external SSH enabled, Kopia constructs a process command line from the incoming data. The critical flaw emerges here: the backend code splits arguments using only literal space characters with no proper tokenizer, quote handling, or input validation.
The Attack Chain
An attacker exploits this parsing weakness by injecting dangerous arguments into the configuration string. Specifically, adding an -oProxyCommand=<cmd> token triggers the malicious behavior. OpenSSH interprets this directive as an instruction to execute arbitrary commands through the host shell before even attempting a network connection.
The injected command executes successfully regardless of whether the target destination is reachable. This gives the attacker full command execution privileges running as the local Kopia process user. The entire exploit requires nothing more than a single HTTP request and zero user interaction.
Vulnerable and Patched Versions
Kopia version 0.22.3 and all earlier releases contain the vulnerability. The security fix arrived in version 0.23.0 and subsequent builds. If immediate upgrading is impossible, a temporary mitigation exists: a new code patch now blocks server startup without an active password configuration whenever the system listens on any non-loopback network interface. Changing your interface configurations can reduce the active attack surface while you prepare for patching.
Related TYPO3 Extension Vulnerability
A separate but equally critical flaw affects the TYPO3 Content Element Selector extension (CVE-2026-46725, CVSS 9.2). This third-party plugin contains an insecure deserialization vulnerability that allows unauthenticated remote code execution through PHP Object Injection. An attacker crafts a malicious serialized payload within a browser cookie that executes arbitrary code when the server processes the request.
The attack only succeeds if the content element is configured with "Persistent Mode: Static" in the plugin options. Vulnerable versions span from 3.0.2 through 6.0.0. Patched versions 3.0.3, 4.0.2, 5.0.1, and 6.0.1 are available through Packagist and the official TYPO3 extension manager.
Sources
https://securityonline.info/kopia-ssh-proxycommand-injection-rce/
https://securityonline.info/typo3-extension-content-element-selector-rce-cve-2026-46725/

Comments