Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-30914

SFTPGo Vulnerable to Path Traversal and Permission Bypass via Path Normalization Discrepancy
Back to all
CVE

CVE-2026-30914

SFTPGo Vulnerable to Path Traversal and Permission Bypass via Path Normalization Discrepancy

Impact

In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder.

Patches

This issue has been addressed in SFTPGo version 2.7.1. The fix introduces strict edge-level path normalization, ensuring that all protocol inputs are fully sanitized and resolved to canonical POSIX paths before any routing or permission evaluations occur.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
5.3
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/drakkan/sftpgo/security/advisories/GHSA-x8qh-7475-c5mp, https://nvd.nist.gov/vuln/detail/CVE-2026-30914, https://github.com/drakkan/sftpgo/commit/2f092d128917e2c059520a2ce3e22c3b5ea7ffd6, https://github.com/drakkan/sftpgo, https://pkg.go.dev/vuln/GO-2026-4699

Severity

8.1

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
8.1
EPSS Probability
0.00026%
EPSS Percentile
0.07461%
Introduced Version
0
Fix Available
2.7.1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading