Description
SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder. This vulnerability is fixed in 2.7.1.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Patch
AI Analysis

Impact

The vulnerability in SFTPGo is a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing. This cause the server to treat normalized paths incorrectly, allowing an authenticated attacker to craft specific file paths that bypass folder‑level permissions or escape the boundaries of a configured Virtual Folder. The intrusion opportunity arises from the difference in path handling between protocol handlers and the internal virtual filesystem, which effectively lets an attacker access files beyond their authorized scope.

Affected Systems

Affected vendor: drakkan. Product: SFTPGo. The issue applies to all releases prior to version 2.7.1, as noted in the advisory and the cpe:2.3:a:sftpgo_project:sftpgo:*:*:*:*:*:*:*:* descriptor.

Risk and Exploitability

The CVSS score of 5.3 points to a medium severity risk. The EPSS score is reported as below 1%, indicating a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploitation. The attack vector is inferred to be an authenticated SFTP session where the attacker crafts malicious paths, taking advantage of the path normalization discrepancy to bypass authorization controls. The recommended mitigation is to upgrade to version 2.7.1 or later, which resolves the path handling issue.

Generated by OpenCVE AI on March 18, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SFTPGo to version 2.7.1 or later

Generated by OpenCVE AI on March 18, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x8qh-7475-c5mp SFTPGo Vulnerable to Path Traversal and Permission Bypass via Path Normalization Discrepancy
History

Wed, 18 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Sftpgo Project
Sftpgo Project sftpgo
CPEs cpe:2.3:a:sftpgo_project:sftpgo:*:*:*:*:*:*:*:*
Vendors & Products Sftpgo Project
Sftpgo Project sftpgo
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Drakkan
Drakkan sftpgo
Vendors & Products Drakkan
Drakkan sftpgo

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder. This vulnerability is fixed in 2.7.1.
Title SFTPGo has a Path Traversal and Permission Bypass via Path Normalization Discrepancy
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Drakkan Sftpgo
Sftpgo Project Sftpgo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T19:41:55.916Z

Reserved: 2026-03-07T16:40:05.884Z

Link: CVE-2026-30914

cve-icon Vulnrichment

Updated: 2026-03-13T19:41:50.992Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:35.247

Modified: 2026-03-18T20:19:28.783

Link: CVE-2026-30914

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:40:22Z

Weaknesses