Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes.
When a group is configured with a dynamic home directory or key prefix using placeholders like %username%, the value replacing the placeholder is not strictly sanitized against relative path components. Consequently, if a user is created with a specially crafted username the resulting path may resolve to a parent directory instead of the intended sub-directory.
Patches
This issue is fixed in version v2.7.1
AnalysisAI
SFTPGo versions before v2.7.1 suffer from improper input validation in dynamic group path handling, where placeholder substitution (e.g., %username%) fails to sanitize relative path traversal sequences. An authenticated attacker with user creation privileges can craft a malicious username containing path traversal components (such as ../) to escape the intended directory structure and access parent directories, achieving unauthorized directory traversal with low to moderate impact on confidentiality and integrity. The vulnerability requires authenticated access and is not listed as actively exploited in known exploit databases, though the fix availability and moderate CVSS score suggest it warrants prompt patching.
Technical ContextAI
SFTPGo is an SFTP server implementation that supports dynamic path configuration for home directories and key prefixes using template variables. The root cause is classified under CWE-20 (Improper Input Validation), wherein user-supplied data (specifically usernames) are interpolated into path expressions without proper canonicalization or validation against relative path components. When a group is configured with a dynamic home directory such as /home/%username%, the system directly substitutes the username placeholder without stripping or rejecting sequences like ../ that would cause path traversal. This is a classic input validation flaw in path construction where user-controlled input is embedded into file system paths without sanitization, affecting the SFTP service's ability to enforce directory containment.
RemediationAI
Immediately upgrade SFTPGo to version 2.7.1 or later, which contains the necessary input validation fixes for dynamic group path handling. Patch releases should be deployed to all instances, and administrators should verify that the patched version correctly rejects or sanitizes usernames containing path traversal sequences (../, ..\ etc.). Until patching is completed, implement compensating controls by restricting user creation privileges to trusted administrators only and avoiding dynamic group configurations with %username% placeholders if possible—instead use static home directories or implement manual user provisioning workflows. Organizations should also audit existing user accounts to identify any with suspicious usernames containing relative path components and remediate or delete such accounts. Consult the SFTPGo security advisories and release notes at https://github.com/drakkan/sftpgo/releases/tag/v2.7.1 for detailed patch notes and migration guidance.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12073
GHSA-m83q-5wr4-4gfp