CVE-2026-30915 Overview
CVE-2026-30915 is a path traversal vulnerability affecting SFTPGo, an open source, event-driven file transfer solution. The vulnerability exists in the handling of dynamic group paths, including home directories and key prefixes. When a group is configured with a dynamic home directory or key prefix using placeholders like %username%, the value replacing the placeholder is not strictly sanitized against relative path components. This allows an attacker with the ability to create users to craft a malicious username that causes the resulting path to resolve to a parent directory instead of the intended sub-directory.
Critical Impact
Attackers who can create users may craft usernames with path traversal sequences to escape the intended directory structure, potentially gaining unauthorized access to files outside the designated home directory.
Affected Products
- SFTPGo versions prior to v2.7.1
- SFTPGo installations using dynamic group paths with %username% placeholder
- SFTPGo configurations with dynamic home directories or key prefixes
Discovery Timeline
- 2026-03-13 - CVE CVE-2026-30915 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-30915
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal. The flaw occurs in SFTPGo's dynamic path resolution mechanism where user-controllable input is incorporated into file system paths without adequate sanitization.
When administrators configure SFTPGo groups with dynamic paths using the %username% placeholder, the system replaces this placeholder with the actual username during path resolution. However, versions prior to v2.7.1 fail to properly validate and sanitize the username value for relative path components such as .. (parent directory references). This oversight allows a malicious actor with user creation privileges to inject path traversal sequences into usernames, effectively bypassing directory restrictions.
The vulnerability is exploitable over the network by authenticated users with user creation capabilities. While the attack requires low privileges, it can result in unauthorized read and write access to files outside the intended directory scope, compromising data confidentiality and integrity.
Root Cause
The root cause of this vulnerability is insufficient input validation in SFTPGo's path handling logic for dynamic group configurations. The %username% placeholder substitution mechanism does not implement strict sanitization to filter out or neutralize relative path components (such as ../ sequences) before constructing file system paths. This allows unsanitized user input to influence the final resolved path, enabling directory escape.
Attack Vector
The attack vector is network-based and requires an authenticated attacker with permissions to create user accounts within the SFTPGo instance. The attacker creates a user with a specially crafted username containing path traversal sequences (e.g., ../../../target). When the system resolves the dynamic home directory path by replacing %username% with this malicious value, the resulting path escapes the intended directory boundary and resolves to an arbitrary location in the file system.
For example, if the home directory template is /data/users/%username%/files and the attacker creates a username ../../etc, the resolved path could become /data/users/../../etc/files, which normalizes to /etc/files, allowing access outside the /data/users/ directory structure.
See the GitHub Security Advisory for complete technical details on the vulnerability mechanism.
Detection Methods for CVE-2026-30915
Indicators of Compromise
- User accounts with usernames containing path traversal sequences such as ../, ..\\, or URL-encoded variants
- Unexpected file access patterns in directories outside configured SFTPGo home directory structures
- Log entries showing user creation events with suspicious or malformed usernames
Detection Strategies
- Audit existing user accounts for usernames containing relative path components (.., ., or directory separators)
- Monitor SFTPGo logs for user creation events and validate username values against expected patterns
- Implement file integrity monitoring on sensitive directories outside SFTPGo's intended data paths
- Review access logs for file operations occurring in unexpected file system locations
Monitoring Recommendations
- Enable verbose logging in SFTPGo to capture user management operations
- Deploy SentinelOne Singularity XDR to detect anomalous file access patterns indicative of path traversal exploitation
- Set up alerts for user creation events containing special characters or path separator sequences
- Monitor for unauthorized access to sensitive configuration files or system directories
How to Mitigate CVE-2026-30915
Immediate Actions Required
- Upgrade SFTPGo to version v2.7.1 or later immediately
- Audit all existing user accounts for usernames containing path traversal sequences and remove or rename suspicious accounts
- Review file access logs to identify potential exploitation attempts
- Restrict user creation privileges to trusted administrators only
Patch Information
The vulnerability has been addressed in SFTPGo version v2.7.1. The patch implements proper input validation and sanitization for username values used in dynamic path resolution, ensuring that relative path components cannot be used to escape directory boundaries. Administrators should upgrade to v2.7.1 or later to remediate this vulnerability. Detailed patch information is available in the GitHub Security Advisory.
Workarounds
- Disable dynamic group paths using the %username% placeholder until patching is complete
- Implement strict username validation at the application layer before user creation
- Use static home directory assignments instead of dynamic placeholder-based paths
- Apply file system-level access controls to limit potential damage from directory escape
# Configuration example - Restrict user creation and audit existing users
# Review SFTPGo configuration to disable dynamic paths temporarily
# In sftpgo.json, avoid using %username% placeholders until upgraded:
# Check for suspicious usernames in your user database:
sftpgo_cli users list | grep -E '\.\.|\./'
# Upgrade SFTPGo to patched version:
# Using Docker:
docker pull drakkan/sftpgo:v2.7.1
# Or download the latest release from GitHub
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
