EUVD-2026-12072
GHSA-x8qh-7475-c5mp
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Tags
Description
### Impact In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder. ### Patches This issue has been addressed in SFTPGo version 2.7.1. The fix introduces strict edge-level path normalization, ensuring that all protocol inputs are fully sanitized and resolved to canonical POSIX paths before any routing or permission evaluations occur.
Analysis
SFTPGo versions prior to 2.7.1 contain a path normalization vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) that allows authenticated attackers to bypass folder-level permissions and escape Virtual Folder boundaries through crafted file paths. An attacker with valid credentials can exploit this authorization bypass to access files and directories beyond their intended scope. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 7 days: Identify all affected systems running SFTPGo and apply vendor patches promptly. Review file handling controls and restrict upload directories.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today