Skip to main content

Suse CVE-2026-30915

| EUVDEUVD-2026-12073 MEDIUM
Improper Input Validation (CWE-20)
2026-03-13 https://github.com/drakkan/sftpgo GHSA-m83q-5wr4-4gfp
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 19:00 euvd
EUVD-2026-12073
Analysis Generated
Mar 13, 2026 - 19:00 vuln.today
CVE Published
Mar 13, 2026 - 18:56 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Impact

SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes.

When a group is configured with a dynamic home directory or key prefix using placeholders like %username%, the value replacing the placeholder is not strictly sanitized against relative path components. Consequently, if a user is created with a specially crafted username the resulting path may resolve to a parent directory instead of the intended sub-directory.

Patches

This issue is fixed in version v2.7.1

AnalysisAI

SFTPGo versions before v2.7.1 suffer from improper input validation in dynamic group path handling, where placeholder substitution (e.g., %username%) fails to sanitize relative path traversal sequences. An authenticated attacker with user creation privileges can craft a malicious username containing path traversal components (such as ../) to escape the intended directory structure and access parent directories, achieving unauthorized directory traversal with low to moderate impact on confidentiality and integrity. The vulnerability requires authenticated access and is not listed as actively exploited in known exploit databases, though the fix availability and moderate CVSS score suggest it warrants prompt patching.

Technical ContextAI

SFTPGo is an SFTP server implementation that supports dynamic path configuration for home directories and key prefixes using template variables. The root cause is classified under CWE-20 (Improper Input Validation), wherein user-supplied data (specifically usernames) are interpolated into path expressions without proper canonicalization or validation against relative path components. When a group is configured with a dynamic home directory such as /home/%username%, the system directly substitutes the username placeholder without stripping or rejecting sequences like ../ that would cause path traversal. This is a classic input validation flaw in path construction where user-controlled input is embedded into file system paths without sanitization, affecting the SFTP service's ability to enforce directory containment.

RemediationAI

Immediately upgrade SFTPGo to version 2.7.1 or later, which contains the necessary input validation fixes for dynamic group path handling. Patch releases should be deployed to all instances, and administrators should verify that the patched version correctly rejects or sanitizes usernames containing path traversal sequences (../, ..\ etc.). Until patching is completed, implement compensating controls by restricting user creation privileges to trusted administrators only and avoiding dynamic group configurations with %username% placeholders if possible—instead use static home directories or implement manual user provisioning workflows. Organizations should also audit existing user accounts to identify any with suspicious usernames containing relative path components and remediate or delete such accounts. Consult the SFTPGo security advisories and release notes at https://github.com/drakkan/sftpgo/releases/tag/v2.7.1 for detailed patch notes and migration guidance.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-30915 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy