Cyber Resilience

CVE-2026-30914

Medium

Published: 13 March 2026

Published
13 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 40.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-30914 is a medium-severity Path Traversal (CWE-22) vulnerability in Sftpgo Project Sftpgo. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-30914 is a path normalization discrepancy in SFTPGo, an open-source, event-driven file transfer solution, affecting versions prior to 2.7.1. The issue arises between protocol handlers and the internal Virtual Filesystem routing, leading to an authorization bypass classified as CWE-22 (Path Traversal). It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant confidentiality and integrity impacts.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely without user interaction. By crafting specific file paths, they bypass folder-level permissions or escape the boundaries of a configured Virtual Folder, potentially accessing or modifying unauthorized files.

The vulnerability is addressed in SFTPGo version 2.7.1. Additional details on the issue and mitigation are available in the GitHub security advisory at https://github.com/drakkan/sftpgo/security/advisories/GHSA-x8qh-7475-c5mp.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft…

more

specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder. This vulnerability is fixed in 2.7.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

Path traversal authz bypass in network-accessible SFTPGo service directly enables remote exploitation of public-facing app (T1190) to access/escape virtual folders for unauthorized local file reads (T1005) and directory enumeration (T1083).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-60946Shared CWE-22
CVE-2025-52452Shared CWE-22
CVE-2024-57669Shared CWE-22
CVE-2026-25869Shared CWE-22
CVE-2025-2264Shared CWE-22
CVE-2024-57451Shared CWE-22
CVE-2026-49128Shared CWE-22
CVE-2026-40062Shared CWE-22
CVE-2019-25579Shared CWE-22
CVE-2022-50890Shared CWE-22

Affected Assets

sftpgo project
sftpgo
≤ 2.7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to system resources, directly preventing authorization bypass via path normalization discrepancies in SFTPGo's Virtual Filesystem.

prevent

Validates file path inputs to block crafted paths that exploit path traversal and escape configured Virtual Folder boundaries.

prevent

Implements a tamper-proof reference monitor that mediates all resource accesses, ensuring protocol handlers and Virtual Filesystem routing cannot be bypassed.

References