CVE-2026-30914 Overview
CVE-2026-30914 is a path traversal vulnerability in SFTPGo, an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder.
Critical Impact
Authenticated attackers can bypass folder-level permissions and escape Virtual Folder boundaries, potentially accessing unauthorized files and directories on the server.
Affected Products
- SFTPGo versions prior to 2.7.1
- sftpgo_project sftpgo (all installations using Virtual Folders)
Discovery Timeline
- 2026-03-13 - CVE-2026-30914 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-30914
Vulnerability Analysis
This vulnerability stems from inconsistent path normalization between different components of SFTPGo. When users access files through various protocols (SFTP, FTP, WebDAV, HTTP), the protocol handlers process path inputs differently than the internal Virtual Filesystem routing mechanism. This discrepancy creates an opportunity for authenticated users to craft malicious file paths that bypass the intended access controls.
The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. While the attack requires authentication, the ability to escape Virtual Folder boundaries represents a significant security concern for multi-tenant deployments or environments where strict file access segregation is required.
Root Cause
The root cause lies in the path normalization discrepancy between SFTPGo's protocol handlers and its Virtual Filesystem routing logic. When a file path is received through a protocol handler, it undergoes normalization that may differ from the normalization applied by the Virtual Filesystem layer. This inconsistency allows specially crafted paths to resolve to locations outside the user's authorized Virtual Folder boundaries.
The Virtual Folder feature in SFTPGo is designed to map specific directories to user-accessible paths, creating isolated environments. However, the normalization mismatch enables path sequences that can traverse outside these boundaries while appearing legitimate to one component but being interpreted differently by another.
Attack Vector
The attack vector is network-based, requiring an authenticated session to the SFTPGo server. An attacker with valid credentials can exploit this vulnerability by:
- Establishing an authenticated connection via SFTP, FTP, WebDAV, or HTTP
- Crafting file path requests with specific sequences that exploit the normalization discrepancy
- Bypassing folder-level permissions to access files outside their authorized scope
- Potentially reading, modifying, or deleting files that should be restricted
The vulnerability exploits the trust boundary between protocol handling and filesystem access control, allowing authenticated users to exceed their intended privileges within the file transfer system.
Detection Methods for CVE-2026-30914
Indicators of Compromise
- Unusual file access patterns from authenticated users accessing paths outside their Virtual Folder boundaries
- Log entries showing path normalization anomalies or unexpected directory traversal sequences
- Access attempts to sensitive system files or directories not mapped to any Virtual Folder
- Audit trail inconsistencies where accessed paths differ from authorized folder mappings
Detection Strategies
- Monitor SFTPGo access logs for path patterns containing traversal sequences such as ../ or encoded variants
- Implement file integrity monitoring on directories outside configured Virtual Folders
- Review authentication logs for users accessing unexpected file system locations
- Deploy network-level monitoring to detect anomalous file transfer patterns
Monitoring Recommendations
- Enable verbose logging in SFTPGo to capture all file access requests with full path details
- Configure alerting for any file access attempts outside defined Virtual Folder mappings
- Implement real-time log analysis to detect path traversal patterns in incoming requests
- Regularly audit user permissions and Virtual Folder configurations for least-privilege compliance
How to Mitigate CVE-2026-30914
Immediate Actions Required
- Upgrade SFTPGo to version 2.7.1 or later immediately
- Review SFTPGo access logs for signs of exploitation or unauthorized file access
- Audit Virtual Folder configurations to ensure proper boundary definitions
- Consider temporarily restricting access to the SFTPGo service if immediate patching is not possible
Patch Information
SFTPGo version 2.7.1 addresses this vulnerability by correcting the path normalization inconsistency between protocol handlers and the Virtual Filesystem routing. Organizations should update to this version or later to remediate CVE-2026-30914. The security advisory and patch details are available in the GitHub Security Advisory GHSA-x8qh-7475-c5mp.
Workarounds
- If upgrading is not immediately possible, restrict SFTPGo access to trusted networks only
- Implement additional network-level access controls to limit exposure
- Review and tighten Virtual Folder permissions to minimize potential impact
- Enable comprehensive logging and monitoring while awaiting patch deployment
- Consider disabling Virtual Folder functionality temporarily if not critical to operations
# Verify SFTPGo version after upgrade
sftpgo version
# Check for version 2.7.1 or later in the output
# If using Docker, pull the latest image:
docker pull drakkan/sftpgo:v2.7.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
