PT-2026-25354 · Sftpgo · Sftpgo

Mcantrell

·

Published

2026-03-13

·

Updated

2026-03-25

·

CVE-2026-30914

CVSS v3.1

8.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions SFTPGo versions prior to 2.7.1
Description SFTPGo is an open-source, event-driven file transfer solution. A path normalization discrepancy exists between the protocol handlers and the internal Virtual Filesystem routing in versions prior to 2.7.1. This discrepancy can lead to an authorization bypass. An authenticated attacker can create specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder.
Recommendations Update to SFTPGo version 2.7.1 or later.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2026-30914
GHSA-X8QH-7475-C5MP
GO-2026-4699
SUSE-SU-2026:1042-1

Affected Products

Sftpgo