Description

SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder. This vulnerability is fixed in 2.7.1.

INFO

Published Date :

2026-03-13T19:02:28.270Z

Last Modified :

2026-03-13T19:41:55.916Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-30914 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-30914.

URL Resource
https://github.com/drakkan/sftpgo/security/advisories/GHSA-x8qh-7475-c5mp cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability