SFTPGo is an open-source, event-driven file transfer server supporting SFTP and other protocols. Versions from 2.3.0 to before 2.7.1 contain a path traversal vulnerability (CWE-22) identified as CVE-2026-30915. The issue stems from insufficient sanitization of dynamic group path placeholders, such as %username%, used to define home directories or key prefixes. When a username includes relative path components (e.g., '../'), the resulting path can traverse outside the intended restricted directory, bypassing directory confinement controls. This improper limitation of pathname allows an attacker with the ability to create or control usernames to access or manipulate files outside their authorized directory scope. The vulnerability is remotely exploitable without authentication or user interaction, though it requires the attacker to have privileges to create or influence usernames. The CVSS 4.0 base score is 5.3 (medium), reflecting network attack vector, low complexity, no privileges required, and limited impact on confidentiality and integrity. No known exploits have been reported in the wild. The issue is resolved in SFTPGo version 2.7.1 by implementing stricter input validation and sanitization of dynamic path components to prevent directory traversal.

This vulnerability can lead to unauthorized access or modification of files outside the designated user directories on SFTPGo servers, potentially exposing sensitive data or allowing tampering with system files. Organizations relying on SFTPGo for secure file transfers may face data confidentiality breaches and integrity violations. Attackers exploiting this flaw could bypass directory restrictions, leading to privilege escalation or lateral movement within the affected environment. Although the impact is limited by the need to create or control usernames, environments with automated user provisioning or weak user management policies are at higher risk. The vulnerability could disrupt secure file transfer operations and damage organizational trust in data handling. Since SFTPGo is used globally in various sectors, the threat affects any organization using vulnerable versions, especially those with internet-facing SFTPGo servers.

The primary mitigation is to upgrade SFTPGo to version 2.7.1 or later, where the vulnerability is fixed. Until upgrading, organizations should enforce strict validation on usernames to disallow relative path components such as '../' or other directory traversal sequences. Implement input sanitization at the user creation stage to prevent malicious usernames. Restrict user creation privileges to trusted administrators and monitor logs for suspicious username patterns. Employ file system permissions and access controls to limit the impact of potential traversal attempts. Additionally, consider isolating SFTPGo instances in segmented network zones and use intrusion detection systems to detect anomalous file access patterns. Regularly audit SFTPGo configurations and user directories to ensure no unauthorized files are accessible outside intended paths.