Kopia CVE-2026-45695 (CVSS 9.8) Unauthenticated RCE
Kopia, an open-source backup and restore utility, is affected by a critical remote code execution (RCE) vulnerability, CVE-2026-45695. This flaw, identified within the Kopia HTTP server implementation, carries a severe CVSS score of 9.8 (Critical). The vulnerability allows for unauthenticated command injection via specially crafted HTTP requests, leading to arbitrary code execution on affected backup servers.
The attack vector uses improper input validation in Kopia's handling of SFTP backend configurations, specifically when the HTTP server is configured to operate without password authentication. Exploitation results in an attacker gaining full command execution privileges as the local Kopia process user, prior to any network connection attempt. This poses a significant risk to data integrity, confidentiality, and availability within environments using vulnerable Kopia instances.
Immediate action is necessary to mitigate the risks associated with CVE-2026-45695. While the provided research does not explicitly state in-the-wild exploitation for this specific CVE, the existence of a high-severity, unauthenticated RCE makes it an attractive target for malicious actors. Timely patching and the application of temporary architectural mitigations are essential to protect backup infrastructure from potential compromise.
What is CVE-2026-45695 and why is it critical?
CVE-2026-45695 identifies a critical command injection vulnerability in Kopia backup servers, specifically impacting installations where the HTTP server runs with unauthenticated access. This vulnerability enables remote code execution (RCE) through a malicious ProxyCommand injection. It is critical because it permits an unauthenticated attacker to execute arbitrary commands on the host system with the privileges of the Kopia process, requiring no user interaction beyond a single HTTP request.
The severity of CVE-2026-45695 is reflected by its CVSS score of 9.8, categorizing it as Critical. Compromise of a backup server through RCE can lead to several severe outcomes, including unauthorized access to sensitive backup data, data exfiltration, deletion or corruption of backups, and persistence within an organization's network. Given Kopia's role in data protection and recovery, exploitation of this vulnerability directly undermines an organization's core data security posture.
Impact
An attacker successfully exploiting CVE-2026-45695 can achieve arbitrary remote code execution on the compromised Kopia backup server. This means an unauthorized actor can execute any command as the user account under which the Kopia process is running. The ramifications of such an exploit are extensive, potentially leading to a complete compromise of the backup system and access to all data managed by Kopia.
The primary risks include:
- Data Exfiltration: Attackers can access, copy, and exfiltrate sensitive data stored in backups. This includes confidential business information, intellectual property, or personally identifiable information (PII) of employees or customers.
- Data Manipulation and Integrity Loss: Malicious actors could modify or delete backup archives, rendering them useless for recovery purposes. This directly impacts an organization's ability to recover from other incidents, such as ransomware attacks or accidental data loss.
- System Takeover: With RCE, attackers can install additional malware, establish persistence, or use the compromised backup server as a pivot point to move laterally within the network. This can escalate an initial backup server compromise into a widespread organizational breach.
- Denial of Service: Attackers could intentionally crash the Kopia service or the underlying operating system, disrupting backup operations and making data inaccessible.
Organizations using Kopia for backup and restore operations are at risk, particularly those running versions earlier than 0.23.0 and configured with an unauthenticated HTTP server listening on non-loopback interfaces. The risk extends to any environment relying on Kopia for critical data management, making remediation a high-priority security task. This unauthenticated RCE resembles other critical command injection flaws that can lead to system takeover, as discussed in our analysis of CVE-2026-8153, a critical RCE vulnerability affecting Universal Robots.
Exploitation chain
The exploitation chain for CVE-2026-45695 involves a command injection technique using the ProxyCommand directive within OpenSSH, triggered through Kopia's HTTP server. The attack vector begins with an unauthenticated HTTP request directed at a vulnerable Kopia instance.
Preconditions for Exploitation:
- The Kopia HTTP server must be running.
- The server must be started with the
--without-passwordflag, explicitly allowing unauthenticated requests. - The Kopia server must be configured to use an SFTP backend.
- The server's HTTP interface must be accessible to the attacker on a non-loopback network interface.
When these conditions are met, an unauthenticated user can send a malicious payload to the /api/v1/repo/exists API endpoint. Kopia's server forwards the user-supplied storage setup directly to the backend system. If the SFTP backend is active and external SSH is enabled, the application constructs a process command line.
The core of the vulnerability lies in Kopia's improper handling of incoming arguments. The backend code splits arguments using only literal space characters, lacking a proper tokenizer, quote handling controls, or strict input validation allowlists. This allows an attacker to inject dangerous arguments into the configuration string. Specifically, inserting an -oProxyCommand= token into the fields triggers the malicious behavior.
OpenSSH interprets the ProxyCommand directive as an instruction to execute the specified through the host's shell. This shell execution occurs before OpenSSH even attempts a network connection to the target SFTP server. Consequently, the injected command executes successfully, even if the SFTP destination specified in the malicious payload is unreachable. This mechanism provides the unauthorized attacker full command execution privileges as the local Kopia process user. The entire exploit requires no user interaction beyond the initial HTTP request, resulting in an unauthenticated RCE. This attack method, relying on OS command injection, shares similarities with the exploitation detailed in our previous research on CVE-2026-30815, an OS command injection in TP-Link devices. The research findings confirm that proof-of-concept (PoC) level exploitation is feasible due to the direct nature of the command injection.
Affected products and versions
The CVE-2026-45695 vulnerability impacts Kopia installations running specific versions. Organizations must verify their deployment versions against the following list:
- Vulnerable Releases:
- Kopia installations running version 0.22.3 and all earlier builds are explicitly vulnerable.
- Patched Releases:
- Kopia installations running version 0.23.0 and above contain the official security fix.
Administrators are advised to consult the official Kopia GitHub repository for release details and changelogs to ensure accurate version identification and patching procedures.
Detection
Detecting exploitation of CVE-2026-45695 requires monitoring for anomalous activity indicative of command injection and unauthorized access attempts. Given the nature of the exploit, specific indicators can be observed at the network, host, and application levels.
Network Indicators:
- Unusual HTTP Requests: Monitor for HTTP POST requests directed to the
/api/v1/repo/existsendpoint of Kopia servers from unauthenticated or unexpected source IP addresses. Pay attention to requests with unusually long or malformed parameters in the request body, particularly those attempting to define SFTP backend configurations. - Outbound Connections: Observe for outbound network connections originating from the Kopia server process to unusual destinations or on atypical ports. This could indicate an attacker establishing command-and-control (C2) channels or exfiltrating data post-exploitation.
Host-Based Indicators:
- Process Creation Anomalies: Monitor for unusual child processes spawned by the Kopia process. This includes unexpected shell processes (e.g.,
sh,bash,cmd.exe) or the execution of system utilities (e.g.,curl,wget,nc,python,perl) that are not part of Kopia's normal operational behavior. - File System Modifications: Look for newly created or modified files in unusual directories, particularly executable files, scripts, or persistent backdoor components, written by the Kopia process user.
- Log Analysis: Review Kopia application logs for error messages related to SFTP backend setup that might contain injected
ProxyCommandstrings or indicate failed attempts at command execution. Examine system logs (e.g.,auth.log,syslog, Windows Event Logs) for suspicious SSH activity, failed authentication attempts, or privilege escalation events from the Kopia user. Also, check for logs indicating attempts to start an HTTP server without a password configuration, especially if it listens on a non-loopback interface.
EDR/SIEM Queries:
- Implement EDR rules to detect
ProxyCommandstrings within command-line arguments of processes related to SSH or Kopia's SFTP interactions, and monitor for the execution of SSH client processes with-oProxyCommandflags containing suspicious commands. - Create SIEM alerts for sequences of events that match the exploitation pattern: an unauthenticated HTTP request to
/api/v1/repo/existsfollowed by unusual process spawns or outbound network activity from the Kopia server.
The absence of a specific public Proof-of-Concept (PoC) does not lessen the critical nature of this vulnerability. Proactive monitoring based on the described exploitation mechanism is essential for early detection.
Remediation
Immediate remediation for CVE-2026-45695 is crucial to prevent unauthenticated remote code execution on Kopia backup servers. Organizations should prioritize patching and, where immediate patching is not feasible, apply available architectural mitigations.
1. Patching:
- Upgrade to Patched Versions: The primary and most effective remediation is to upgrade Kopia installations to version 0.23.0 or later. These versions contain the official security fix that addresses the command injection vulnerability.
- Access the official Kopia GitHub releases page at
to download the latest patched release. - Follow Kopia's official upgrade instructions to ensure a smooth and secure transition.
2. Workarounds and Mitigations (If Immediate Patching is Not Possible):
- Disable --without-password
on Non-Loopback Interfaces: A key architectural mitigation implemented in later versions, which can be manually applied or considered as a best practice, is to avoid starting the Kopia HTTP server with the --without-passwordflag when it listens on any non-loopback network interface. - If the Kopia HTTP server must be accessible, ensure it is configured with strong password protection.
- Alternatively, restrict the HTTP server to listen only on the loopback interface (127.0.0.1
or::1) if remote access is not required, thereby limiting its exposure to the local system. - Network Segmentation: Isolate Kopia backup servers in a dedicated network segment with strict firewall rules. Limit inbound access to the Kopia HTTP server to only trusted administrators or necessary internal services. Block all unnecessary outbound connections from the backup server.
- Principle of Least Privilege: Ensure the Kopia process runs with the minimum necessary privileges. This reduces the potential impact of a successful RCE, as an attacker would be limited by the permissions of the Kopia user.
- Disable SFTP Backend if Not Required: If the SFTP backend feature is not used in your Kopia deployment, consider disabling it or ensuring its configuration is secure and not exposed to injection.
3. Monitoring:
- Enhanced Logging and Auditing: Implement enhanced logging for the Kopia application and the underlying operating system. Regularly review logs for any suspicious activity, as outlined in the "Detection" section, particularly related to the /api/v1/repo/exists` endpoint and anomalous process creation.
- Integrate with Security Tools: Use Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) solutions to monitor for the indicators of compromise (IOCs) associated with CVE-2026-45695.
Organizations should plan for a phased approach, applying mitigations immediately and scheduling full patching as soon as possible. Regular security audits and vulnerability assessments of Kopia deployments should also be conducted.