Kopia RCE and backup server exposure: are your controls keeping up?

TL;DR: A CVE-2026-45695 flaw in Kopia allows unauthenticated remote code execution through SSH argument injection when the server runs in passwordless mode and exposes an SFTP backend, according to Orca Security. Backup infrastructure that assumes internal reachability is enough to justify weak authentication now needs a stricter identity and exposure model.

NHIMG editorial — based on content published by Orca Security covering the Kopia vulnerability: unauthenticated remote code execution through SSH argument injection

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: What breaks when a backup server accepts unauthenticated requests and passes them into SSH arguments?

A: The trust boundary breaks first, then the service becomes a remote code execution path.

Q: Why do backup tools create high-impact exposure when they are reachable from the network?

A: Backup tools often hold broad storage and restore permissions, so their effective authority is larger than their user interface suggests.

Q: How do security teams know whether a backup service is operating outside its intended boundary?

A: Look for routable listeners, passwordless modes, direct shell invocation, and SFTP or SSH settings that accept user-controlled fields.

Practitioner guidance

• Remove passwordless exposure from routable interfaces Bind Kopia servers to localhost where possible, and place any externally reachable instance behind an authenticating reverse proxy before exposing it to non-loopback traffic.
• Treat backup services as privileged non-human identities Inventory each Kopia deployment as a high-trust workload, then document its repository access, SSH dependencies, and the systems it can modify or restore.
• Block unsafe request-to-command paths Review any configuration fields that flow into shell or SSH arguments, then require allowlists, strict tokenisation, and rejection of unsupported ProxyCommand-style input.

What's in the full analysis

Orca Security's full analysis covers the operational detail this post intentionally leaves for the source:

• Affected version boundaries and the exact runtime conditions that make the issue exploitable
• The specific remediation path for upgrading to version 0.23.0 and removing insecure startup modes
• Exposure context in Orca's platform, including runtime reachability and asset criticality
• The advisory trail, including the merged GitHub fix and security advisory reference

👉 Read Orca Security's analysis of the Kopia unauthenticated RCE flaw →

Kopia RCE and backup server exposure: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →