CVE-2026-30914
Authorization Bypass via Path Normalization in SFTPGo Virtual Folders
Publication date: 2026-03-13
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sftpgo_project | sftpgo | to 2.7.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30914 is a vulnerability in SFTPGo versions prior to 2.7.1 caused by a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing.
This discrepancy allows an authenticated attacker to craft specially designed file paths that bypass folder-level permissions or escape the boundaries of a configured Virtual Folder, effectively leading to unauthorized access.
The vulnerability was fixed in version 2.7.1 by implementing strict edge-level path normalization to ensure all protocol inputs are fully sanitized and resolved to canonical POSIX paths before routing or permission checks.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to bypass folder-level permissions or escape the confines of a configured Virtual Folder within SFTPGo.
As a result, the attacker could gain unauthorized access to files or directories that should be restricted, potentially exposing sensitive data or compromising the integrity of the file transfer system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade SFTPGo to version 2.7.1 or later, where the issue has been fixed by implementing strict edge-level path normalization.
This update ensures that all protocol inputs are fully sanitized and resolved to canonical POSIX paths before any routing or permission checks, preventing unauthorized access via crafted file paths.