SFTPGo improperly sanitizes placeholders in group home directories/key prefixes
Description
SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using placeholders like %username%, the value replacing the placeholder is not strictly sanitized against relative path components. Consequently, if a user is created with a specially crafted username the resulting path may resolve to a parent directory instead of the intended sub-directory. This issue is fixed in version v2.7.1
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SFTPGo before v2.7.1 fails to sanitize placeholders like %username% in group home directories, allowing path traversal via crafted usernames.
Vulnerability
Overview
SFTPGo, an open-source event-driven file transfer solution, contains an input validation flaw in versions prior to v2.7.1. The issue arises when a group is configured with a dynamic home directory or key prefix that includes placeholders such as %username%. The value substituted for the placeholder is not properly sanitized against relative path components (e.g., ../), enabling path traversal [1][4].
Exploitation
An attacker who can create or control a username (for example, through user registration or administrative actions) can craft a username containing relative path sequences. When the server-side. When SFTPGo resolves the dynamic path, the unsanitized placeholder value can cause the resulting path to point to a parent directory instead of the intended sub-directory. This attack requires the ability to set a username that includes path traversal sequences, and the group must be configured to use dynamic placeholders [1][4]. 4].
Impact
Successful exploitation allows an attacker to access files or directories outside the intended scope, potentially reading, writing, or listing files in parent directories. This could lead to unauthorized access to sensitive data or further compromise of the SFTPGo server [1][4].
Mitigation
The vulnerability is fixed in SFTPGo version v2.7.1. Users should upgrade to this version or later. No workarounds are mentioned in the advisories [1][4]. The issue is tracked as GHSA-m83q-5wr4-4gfp and GO-2026-4697 [3][3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/drakkan/sftpgo/v2Go | >= 2.3.0, < 2.7.1 | 2.7.1 |
Affected products
2- drakkan/sftpgov5Range: >= 2.3.0, < 2.7.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-m83q-5wr4-4gfpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30915ghsaADVISORY
- github.com/drakkan/sftpgo/security/advisories/GHSA-m83q-5wr4-4gfpghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2026-4697ghsaWEB
News mentions
0No linked articles in our index yet.