SFTPGo CVE-2026-49244
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Public shares require no authentication (PR:N); canonical path prefix constraint limits viable targets (AC:H); impact is read-only file disclosure outside share boundary (C:H, I:N, A:N).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Summary
The public web-client endpoint for partial ZIP downloads of a browsable share did not correctly confine the client-supplied files entries to the shared directory. A requester able to reach a public share could read files located outside the shared directory, as long as the target's canonical path begins with the shared directory's name.
Patches
Fixed in v2.7.3. The fix replaces the raw prefix check with a directory-boundary-aware check.
Articles & Coverage 1
AnalysisAI
Path traversal in SFTPGo's public web-client partial ZIP download endpoint allows unauthenticated remote attackers to read files located outside a browsable share's directory boundary. The flaw exists because the endpoint validated file entries using a raw string prefix check rather than a directory-boundary-aware comparison - a crafted request can escape the share root by supplying paths whose canonical form begins with the shared directory name but resolves to a parent or sibling path. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the SFTPGo instance must have at least one public (unauthenticated) browsable share configured and accessible to the requester - private or authenticated-only shares are not affected; (2) the web-client HTTP interface must be reachable by the attacker, which is network-dependent; (3) the canonical path of the target file must begin with the shared directory's name, meaning the attacker must identify or predict a file in a directory whose name shares a prefix with the public share directory. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects a meaningful but conditionally exploitable information disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who discovers a public SFTPGo share (e.g., via web crawling or direct URL enumeration) submits a crafted partial ZIP download request to the web-client endpoint, supplying file entries whose paths are constructed so their canonical form begins with the shared directory name but traverses to a sibling directory - for instance, requesting '/shares/uploads/../uploads-internal/config.json' where 'uploads-internal' canonicalizes to a string starting with 'uploads'. The server's prefix check passes, and the file contents are returned in the ZIP response, exposing data outside the intended share boundary. … |
| Remediation | Upgrade SFTPGo to version 2.7.3 or later, which replaces the raw string prefix check with a directory-boundary-aware path confinement check. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-h64p-8h4r-6gfh