🟡 Medium  |  Source: Microsoft Security Response Center


A vulnerability in OpenSSH versions prior to 10.4 means that the internal SFTP subsystem only processes the first 9 command-line arguments, silently ignoring any beyond that. This could result in security-relevant arguments — such as those restricting file access or enforcing chroot — being overlooked, potentially weakening the intended security posture of SFTP connections. The issue is particularly relevant in environments where OpenSSH is deployed on Azure virtual machines or services.

Security Architect’s Take: Audit your Azure VM and container deployments to identify any OpenSSH instances running versions prior to 10.4, paying close attention to SFTP configurations that rely on more than 9 command-line arguments. Prioritise patching to OpenSSH 10.4 or later and review your sshd_config SFTP subsystem arguments to confirm all intended security constraints are actually being applied.

Original advisory: CVE-2026-59997 internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.