{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30914", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T16:40:05.884Z", "datePublished": "2026-03-13T19:02:28.270Z", "dateUpdated": "2026-03-13T19:41:55.916Z"}, "containers": {"cna": {"title": "SFTPGo has a Path Traversal and Permission Bypass via Path Normalization Discrepancy", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-x8qh-7475-c5mp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-x8qh-7475-c5mp"}], "affected": [{"vendor": "drakkan", "product": "sftpgo", "versions": [{"version": "< 2.7.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T19:02:28.270Z"}, "descriptions": [{"lang": "en", "value": "SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder. This vulnerability is fixed in 2.7.1."}], "source": {"advisory": "GHSA-x8qh-7475-c5mp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T19:41:44.985929Z", "id": "CVE-2026-30914", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:41:55.916Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30914", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T19:41:44.985929Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:41:50.992Z"}}], "cna": {"title": "SFTPGo has a Path Traversal and Permission Bypass via Path Normalization Discrepancy", "source": {"advisory": "GHSA-x8qh-7475-c5mp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "drakkan", "product": "sftpgo", "versions": [{"status": "affected", "version": "< 2.7.1"}]}], "references": [{"url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-x8qh-7475-c5mp", "name": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-x8qh-7475-c5mp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder. This vulnerability is fixed in 2.7.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T19:02:28.270Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30914", "state": "PUBLISHED", "dateUpdated": "2026-03-13T19:41:55.916Z", "dateReserved": "2026-03-07T16:40:05.884Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-13T19:02:28.270Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sftpgo_project:sftpgo:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7040FCD-56C0-4C58-91E0-7269DE2C0783", "versionEndExcluding": "2.7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder. This vulnerability is fixed in 2.7.1."}], "id": "CVE-2026-30914", "lastModified": "2026-03-18T20:19:28.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-13T19:54:35.247", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-x8qh-7475-c5mp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.7.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "sftpgo", "source": "cna", "vendor": "drakkan"}, "product": "sftpgo", "vendor": "drakkan"}], "analysis": {"en": {"generated_at": "2026-03-18T21:25:45.520397+00:00", "value": {"mitigation_remediation": ["Upgrade SFTPGo to version 2.7.1 or later"], "summary": {"action": "Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "Affected vendor: drakkan. Product: SFTPGo. The issue applies to all releases prior to version 2.7.1, as noted in the advisory and the cpe:2.3:a:sftpgo_project:sftpgo:*:*:*:*:*:*:*:* descriptor.", "description_and_impact": "The vulnerability in SFTPGo is a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing. This cause the server to treat normalized paths incorrectly, allowing an authenticated attacker to craft specific file paths that bypass folder\u2011level permissions or escape the boundaries of a configured Virtual Folder. The intrusion opportunity arises from the difference in path handling between protocol handlers and the internal virtual filesystem, which effectively lets an attacker access files beyond their authorized scope.", "risk_and_exploitability": "The CVSS score of 5.3 points to a medium severity risk. The EPSS score is reported as below 1%, indicating a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploitation. The attack vector is inferred to be an authenticated SFTP session where the attacker crafts malicious paths, taking advantage of the path normalization discrepancy to bypass authorization controls. The recommended mitigation is to upgrade to version 2.7.1 or later, which resolves the path handling issue."}}}}, "created": "2026-03-16T09:24:30.862660+00:00", "updated": "2026-03-23T13:40:22.607748+00:00", "vendors": ["drakkan", "drakkan$PRODUCT$sftpgo"]}