CVE-2026-30914

Description

### Impact In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder. ### Patches This issue has been addressed in SFTPGo version 2.7.1. The fix introduces strict edge-level path normalization, ensuring that all protocol inputs are fully sanitized and resolved to canonical POSIX paths before any routing or permission evaluations occur.

Affected packages (4)

• Go/github.com/drakkan/sftpgofrom 0, <= 1.2.2
• Go/github.com/drakkan/sftpgofrom 0
• Go/github.com/drakkan/sftpgo/v2from 0, < 2.7.1
• Go/github.com/drakkan/sftpgo/v2from 0, < 2.7.1

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-30914
• PATCHhttps://github.com/drakkan/sftpgo
• WEBhttps://github.com/drakkan/sftpgo/commit/2f092d128917e2c059520a2ce3e22c3b5ea7ffd6
• WEBhttps://github.com/drakkan/sftpgo/security/advisories/GHSA-x8qh-7475-c5mp
• WEBhttps://pkg.go.dev/vuln/GO-2026-4699