Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder.
Patches
This issue has been addressed in SFTPGo version 2.7.1. The fix introduces strict edge-level path normalization, ensuring that all protocol inputs are fully sanitized and resolved to canonical POSIX paths before any routing or permission evaluations occur.
AnalysisAI
SFTPGo versions prior to 2.7.1 contain a path normalization vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) that allows authenticated attackers to bypass folder-level permissions and escape Virtual Folder boundaries through crafted file paths. An attacker with valid credentials can exploit this authorization bypass to access files and directories beyond their intended scope. The vulnerability has been patched in version 2.7.1 with strict edge-level path normalization, and while no public POC or KEV status has been disclosed, the CVSS 5.3 (network-accessible, low complexity) and requirement for prior authentication suggest this is a real but moderate-priority issue.
Technical ContextAI
SFTPGo is a file transfer server implementation supporting SFTP, HTTP/WebDAV, and FTP protocols. The vulnerability stems from a discrepancy between how protocol handlers (SFTP, HTTP, FTP) normalize file paths and how the internal Virtual Filesystem (VFS) routing layer processes those paths. CWE-22 (Path Traversal / Directory Escape) indicates insufficient canonicalization of user-supplied paths before permission checks occur. The affected component is the path normalization logic that should convert all protocol-layer inputs to canonical POSIX paths before permission evaluation against folder-level access controls and Virtual Folder boundaries. This is a classic authorization logic flaw where path normalization happens too late or inconsistently across protocol entry points, allowing attackers to supply alternative path representations (e.g., with redundant separators, relative segments, or encoding variations) that bypass ACL checks in the VFS routing engine.
RemediationAI
Upgrade SFTPGo to version 2.7.1 or later immediately to apply the strict edge-level path normalization fix. The patch ensures all protocol inputs are fully sanitized and resolved to canonical POSIX paths before routing or permission evaluation. Until patching is possible, mitigate by restricting SFTP/FTP access to trusted networks via firewall rules, disabling virtual folder usage if not required, and implementing strict folder-level permissions with regular audits of user access. Verify the patch is applied by checking the SFTPGo version output and reviewing the changelog at the vendor's official repository. No configuration-only workarounds exist for this logic flaw, making patching the only reliable remediation.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12072
GHSA-x8qh-7475-c5mp