Description
SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using placeholders like %username%, the value replacing the placeholder is not strictly sanitized against relative path components. Consequently, if a user is created with a specially crafted username the resulting path may resolve to a parent directory instead of the intended sub-directory. This issue is fixed in version v2.7.1
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Directory Traversal – potential unauthorized file access
Action: Patch Now
AI Analysis

Impact

SFTPGo versions prior to 2.7.1 contain an input validation flaw when processing dynamic group paths such as home directories or key prefixes. Placeholders like %username% are replaced without strict sanitization of relative path components, enabling a specially crafted username to resolve the resulting path to a parent directory instead of the intended sub‑directory. This flaw is a classic directory traversal (CWE‑22) that could allow an attacker to read or write files outside the designated directory, potentially exposing confidential data.

Affected Systems

The vulnerable product is drakkan:sftpgo. All releases before v2.7.1 are affected. The issue is resolved in version v2.7.1 and later; no other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate risk. EPSS is below 1%, suggesting a low probability of exploitation at present, and the vulnerability is not in the CISA KEV catalog. Exploitation requires the ability to create a user with a crafted username; the description does not specify the exact privilege level needed, but it is inferred that such an action must be performed through an interface that allows user creation. The likely attack vector is via the user management functionality of SFTPGo.

Generated by OpenCVE AI on March 18, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SFTPGo to version 2.7.1 or later to eliminate the sanitization issue.

Generated by OpenCVE AI on March 18, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m83q-5wr4-4gfp SFTPGo improperly sanitizes placeholders in group home directories/key prefixes
History

Wed, 18 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Sftpgo Project
Sftpgo Project sftpgo
CPEs cpe:2.3:a:sftpgo_project:sftpgo:*:*:*:*:*:*:*:*
Vendors & Products Sftpgo Project
Sftpgo Project sftpgo
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Drakkan
Drakkan sftpgo
Vendors & Products Drakkan
Drakkan sftpgo

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using placeholders like %username%, the value replacing the placeholder is not strictly sanitized against relative path components. Consequently, if a user is created with a specially crafted username the resulting path may resolve to a parent directory instead of the intended sub-directory. This issue is fixed in version v2.7.1
Title SFTPGo improperly sanitizes placeholders in group home directories/key prefixes
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Drakkan Sftpgo
Sftpgo Project Sftpgo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T19:41:17.258Z

Reserved: 2026-03-07T16:40:05.884Z

Link: CVE-2026-30915

cve-icon Vulnrichment

Updated: 2026-03-13T19:41:13.342Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:35.410

Modified: 2026-03-18T20:16:46.693

Link: CVE-2026-30915

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:40:21Z

Weaknesses