EXECUTIVE SUMMARY:
CVE-2026-49244 with a CVSS score of 5.9 is a path confinement bypass vulnerability affecting the SFTPGo framework, specifically impacting the system through improper handling of pathnames within the public web-client endpoint designed for partial ZIP downloads of browsable shares. An attacker capable of reaching a public share can exploit this vulnerability by manipulating file entries to bypass directory restrictions. Consequently, the attacker gains the capability to read sensitive files residing outside the originally intended shared directory on the server. The business impact of such unauthorized access is significant, potentially resulting in data exfiltration, exposure of proprietary secrets, and severe compliance violations. Exploitation is subject to specific prerequisites; the attacker can only read files if the target's canonical path begins with the shared directory's name. This condition limits the scope slightly but still presents a substantial risk to environments relying on SFTPGo for secure file sharing and data management.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-49244 with a CVSS score of 5.9 is a path confinement bypass vulnerability affecting the SFTPGo framework, specifically impacting the system through improper handling of pathnames within the public web-client endpoint designed for partial ZIP downloads of browsable shares. An attacker capable of reaching a public share can exploit this vulnerability by manipulating file entries to bypass directory restrictions. Consequently, the attacker gains the capability to read sensitive files residing outside the originally intended shared directory on the server. The business impact of such unauthorized access is significant, potentially resulting in data exfiltration, exposure of proprietary secrets, and severe compliance violations. Exploitation is subject to specific prerequisites; the attacker can only read files if the target's canonical path begins with the shared directory's name. This condition limits the scope slightly but still presents a substantial risk to environments relying on SFTPGo for secure file sharing and data management.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-h64p-8h4r-6gfh