SFTPGo is an open-source, event-driven file transfer server supporting protocols like SFTP. In versions prior to 2.7.1, a vulnerability identified as CVE-2026-30914 (CWE-22) exists due to improper limitation of pathname to restricted directories, commonly known as a path traversal flaw. The root cause is a discrepancy in path normalization between the protocol handlers and the internal Virtual Filesystem (VFS) routing logic. Specifically, when an authenticated attacker crafts specially constructed file paths, the system fails to correctly enforce folder-level permissions or confine access within the boundaries of configured Virtual Folders. This allows the attacker to bypass authorization controls and access or manipulate files outside their permitted directories. The vulnerability does not require elevated privileges beyond authentication and does not need user interaction beyond initial login. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, and limited confidentiality, integrity, and availability impacts. The vulnerability was publicly disclosed on March 13, 2026, and fixed in SFTPGo version 2.7.1. No known exploits have been reported in the wild to date. The flaw highlights the importance of consistent path normalization and authorization checks in virtualized filesystem environments within file transfer solutions.

This vulnerability can lead to unauthorized access or modification of files outside the intended virtual folder boundaries in SFTPGo deployments. Organizations relying on SFTPGo for secure file transfers may face data confidentiality breaches if attackers access sensitive files beyond their permissions. Integrity of files could be compromised if attackers modify or replace files outside their authorized scope. Availability impact is limited but possible if critical system files are altered. Since exploitation requires authentication, the threat is primarily from malicious insiders or compromised user accounts. The impact is significant for organizations with strict data segregation requirements or regulatory compliance mandates, as unauthorized file access could lead to data leaks, compliance violations, or lateral movement within networks. The absence of known exploits reduces immediate risk, but the medium severity and ease of exploitation after authentication warrant prompt remediation to prevent potential abuse.

1. Upgrade all SFTPGo instances to version 2.7.1 or later, where this vulnerability is fixed. 2. Review and tighten authentication mechanisms to reduce the risk of compromised credentials, including enforcing strong passwords and multi-factor authentication. 3. Audit and restrict user permissions and virtual folder configurations to the minimum necessary scope, limiting potential damage from exploitation. 4. Implement monitoring and alerting on unusual file access patterns or attempts to access files outside authorized directories. 5. Conduct regular security assessments and penetration testing focusing on path traversal and authorization bypass scenarios in file transfer systems. 6. If immediate upgrade is not feasible, consider deploying network-level controls such as IP whitelisting or VPN access to limit exposure. 7. Educate administrators and users about the risks of path traversal vulnerabilities and the importance of promptly applying security patches.