CVE-2026-30914

High

Published: 13 March 2026

Published

13 March 2026

Modified

18 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0002 6.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30914 is a high-severity Path Traversal (CWE-22) vulnerability in Sftpgo Project Sftpgo. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to system resources, directly preventing authorization bypass via path normalization discrepancies in SFTPGo's Virtual Filesystem.

SI-10 Information Input Validation good match

prevent

Validates file path inputs to block crafted paths that exploit path traversal and escape configured Virtual Folder boundaries.

AC-25 Reference Monitor good match

prevent

Implements a tamper-proof reference monitor that mediates all resource accesses, ensuring protocol handlers and Virtual Filesystem routing cannot be bypassed.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

Why these techniques?

Path traversal authz bypass in network-accessible SFTPGo service directly enables remote exploitation of public-facing app (T1190) to access/escape virtual folders for unauthorized local file reads (T1005) and directory enumeration (T1083).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft…

specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder. This vulnerability is fixed in 2.7.1.

Deeper analysisAI

CVE-2026-30914 is a path normalization discrepancy in SFTPGo, an open-source, event-driven file transfer solution, affecting versions prior to 2.7.1. The issue arises between protocol handlers and the internal Virtual Filesystem routing, leading to an authorization bypass classified as CWE-22 (Path Traversal). It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant confidentiality and integrity impacts.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely without user interaction. By crafting specific file paths, they bypass folder-level permissions or escape the boundaries of a configured Virtual Folder, potentially accessing or modifying unauthorized files.

The vulnerability is addressed in SFTPGo version 2.7.1. Additional details on the issue and mitigation are available in the GitHub security advisory at https://github.com/drakkan/sftpgo/security/advisories/GHSA-x8qh-7475-c5mp.