CVE-2026-30914 in sftpgo
Summary
by MITRE • 03/13/2026
SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder. This vulnerability is fixed in 2.7.1.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2026-30914 represents a critical authorization bypass flaw within SFTPGo, an open source event-driven file transfer solution that serves as a comprehensive replacement for traditional FTP servers. This issue affects versions prior to 2.7.1 and stems from a fundamental inconsistency in how the system handles path normalization across its protocol handlers and internal virtual filesystem routing mechanisms. The flaw exploits a discrepancy where the system's interpretation of file paths differs between the external protocol interface and the internal filesystem access controls, creating a potential security gap that authenticated attackers can leverage to gain unauthorized access to resources they should not be permitted to access.
The technical implementation of this vulnerability occurs through a path normalization discrepancy that allows attackers to craft specific file paths that bypass folder-level permissions. When users authenticate to the SFTPGo service, they are typically restricted to accessing only designated virtual folders or directories based on their assigned permissions. However, due to the inconsistent path handling, attackers can manipulate file path references to navigate beyond these configured boundaries. The vulnerability specifically targets the virtual filesystem routing logic where relative paths or specially crafted path sequences can be interpreted differently by the protocol handlers compared to how the internal filesystem processes these same paths, effectively allowing unauthorized access to files or directories outside the intended scope of the user's permissions.
The operational impact of this vulnerability extends beyond simple unauthorized file access, as it represents a fundamental breakdown in the security model of SFTPGo's access controls. An authenticated attacker with minimal privileges could potentially escalate their access to read, write, or execute operations on files and directories that should be restricted based on their assigned virtual folder boundaries. This authorization bypass affects the core security principle of least privilege that SFTPGo implements, potentially allowing attackers to access sensitive data, modify files outside their designated access scope, or even execute commands that could compromise the entire system. The vulnerability particularly impacts environments where SFTPGo serves as a primary file transfer solution for organizations handling confidential data, as it undermines the integrity of the access control mechanisms that protect sensitive information.
The mitigation for CVE-2026-30914 requires immediate deployment of SFTPGo version 2.7.1, which addresses the path normalization discrepancy through corrected internal filesystem routing logic. Organizations should also implement comprehensive monitoring of authentication events and file access patterns to detect potential exploitation attempts, as the vulnerability may not always be immediately apparent during normal operations. Security teams should conduct thorough audits of virtual folder configurations and permission settings to ensure that existing access controls remain effective after the patch is applied. This vulnerability aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, and represents a classic example of how path traversal issues can manifest in complex filesystem implementations. From an ATT&CK perspective, this vulnerability maps to T1078.004, which covers valid accounts with restricted access, and T1566, which involves the exploitation of vulnerabilities to gain initial access or privilege escalation within a system environment. Organizations should also consider implementing additional security controls such as mandatory access controls, file integrity monitoring, and regular security assessments to prevent similar path normalization issues from occurring in other components of their infrastructure.