SFTPGo: Malicious usernames can access unintended directories

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.9

SFTPGo: Malicious usernames can access unintended directories

GHSA-m83q-5wr4-4gfp CVE-2026-30915 GHSA-m83q-5wr4-4gfp

Summary

SFTPGo versions prior to 2.7.1 can allow attackers to access sensitive data by creating a user with a specially crafted username. This can happen when using dynamic home directories or key prefixes. Update to version 2.7.1 or later to fix this issue.

What to do

Update github.com drakkan to version 2.7.1.
Update drakkan github.com/drakkan/sftpgo/v2 to version 2.7.1.

Affected software

Vendor	Product	Affected versions	Fix available
github.com	drakkan	> 2.3.0 , <= 2.7.0	2.7.1
drakkan	github.com/drakkan/sftpgo/v2	> 2.3.0 , <= 2.7.1	2.7.1

Original title

SFTPGo improperly sanitizes placeholders in group home directories/key prefixes

Original description

### Impact

SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes.

When a group is configured with a dynamic home directory or key prefix using placeholders like `%username%`, the value replacing the placeholder is not strictly sanitized against relative path components. Consequently, if a user is created with a specially crafted username the resulting path may resolve to a parent directory instead of the intended sub-directory.

### Patches

This issue is fixed in version v2.7.1

ghsa CVSS4.0 6.9

Vulnerability type

CWE-20 Improper Input Validation

Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026