CVE-2026-30914
Received Received - Intake
Authorization Bypass via Path Normalization in SFTPGo Virtual Folders

Publication date: 2026-03-13

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder. This vulnerability is fixed in 2.7.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-30914
EUVD
EUVD-2026-12072
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sftpgo_project sftpgo to 2.7.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30914 is a vulnerability in SFTPGo versions prior to 2.7.1 caused by a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing.

This discrepancy allows an authenticated attacker to craft specially designed file paths that bypass folder-level permissions or escape the boundaries of a configured Virtual Folder, effectively leading to unauthorized access.

The vulnerability was fixed in version 2.7.1 by implementing strict edge-level path normalization to ensure all protocol inputs are fully sanitized and resolved to canonical POSIX paths before routing or permission checks.

Impact Analysis

This vulnerability can allow an authenticated attacker to bypass folder-level permissions or escape the confines of a configured Virtual Folder within SFTPGo.

As a result, the attacker could gain unauthorized access to files or directories that should be restricted, potentially exposing sensitive data or compromising the integrity of the file transfer system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade SFTPGo to version 2.7.1 or later, where the issue has been fixed by implementing strict edge-level path normalization.

This update ensures that all protocol inputs are fully sanitized and resolved to canonical POSIX paths before any routing or permission checks, preventing unauthorized access via crafted file paths.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30914. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart