🟡 Medium | Source: Microsoft Security Response Center
A vulnerability in the scp utility within OpenSSH versions prior to 10.4 can cause files to be written to a parent directory rather than the intended destination directory during remote-to-remote copy operations. This path traversal-style behaviour could result in files landing in unintended locations, potentially overwriting sensitive files or bypassing directory-based access controls. Microsoft has published this advisory in the context of Azure-hosted systems running affected OpenSSH versions.
Security Architect’s Take: Audit Azure VMs and container images for OpenSSH versions below 10.4 and prioritise upgrading to 10.4 or later; additionally, review any automated pipelines or scripts using scp for remote-to-remote transfers, as these are the affected code paths.
Original advisory: CVE-2026-59996 scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.