Skip to main content

SFTPGo CVE-2026-49244

MEDIUM
Path Traversal (CWE-22)
2026-07-02 https://github.com/drakkan/sftpgo GHSA-h64p-8h4r-6gfh
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

Public shares require no authentication (PR:N); canonical path prefix constraint limits viable targets (AC:H); impact is read-only file disclosure outside share boundary (C:H, I:N, A:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 19:30 vuln.today

DescriptionGitHub Advisory

Summary

The public web-client endpoint for partial ZIP downloads of a browsable share did not correctly confine the client-supplied files entries to the shared directory. A requester able to reach a public share could read files located outside the shared directory, as long as the target's canonical path begins with the shared directory's name.

Patches

Fixed in v2.7.3. The fix replaces the raw prefix check with a directory-boundary-aware check.

AnalysisAI

Path traversal in SFTPGo's public web-client partial ZIP download endpoint allows unauthenticated remote attackers to read files located outside a browsable share's directory boundary. The flaw exists because the endpoint validated file entries using a raw string prefix check rather than a directory-boundary-aware comparison - a crafted request can escape the share root by supplying paths whose canonical form begins with the shared directory name but resolves to a parent or sibling path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify public SFTPGo web-client endpoint
Delivery
Enumerate or predict browsable share name
Exploit
Craft ZIP download request with path-traversal entries
Execution
Bypass raw prefix check via canonical path prefix match
Impact
Retrieve files from outside share boundary

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the SFTPGo instance must have at least one public (unauthenticated) browsable share configured and accessible to the requester - private or authenticated-only shares are not affected; (2) the web-client HTTP interface must be reachable by the attacker, which is network-dependent; (3) the canonical path of the target file must begin with the shared directory's name, meaning the attacker must identify or predict a file in a directory whose name shares a prefix with the public share directory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects a meaningful but conditionally exploitable information disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who discovers a public SFTPGo share (e.g., via web crawling or direct URL enumeration) submits a crafted partial ZIP download request to the web-client endpoint, supplying file entries whose paths are constructed so their canonical form begins with the shared directory name but traverses to a sibling directory - for instance, requesting '/shares/uploads/../uploads-internal/config.json' where 'uploads-internal' canonicalizes to a string starting with 'uploads'. The server's prefix check passes, and the file contents are returned in the ZIP response, exposing data outside the intended share boundary. …
Remediation Upgrade SFTPGo to version 2.7.3 or later, which replaces the raw string prefix check with a directory-boundary-aware path confinement check. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

CVE-2026-49244 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy