OpenSSH before 2.9.9, when running sftp using sftp-server and using restricted keypairs, allows remote authenticated users to bypass authorized_keys2 command= restrictions using sftp commands.
http://archives.neohapsis.com/archives/bugtraq/2001-09/0153.html