v2.7.0

New Features

• SFTPD: Added support for Post-Quantum Traditional Hybrid Key Exchange through the newly added algorithm mlkem768x25519-sha256.
• JWT: replaced lestrrat-go/jwx with lightweight wrapper around go-jose. Implementing our own wrapper simplifies the codebase and improves maintainability. Moreover, go-jose depends only on the standard library, resulting in a leaner dependency that still meets all our requirements.
• WebUI: add French and German translations.
• Public shares: show disclaimer on login page.
• Enable setting password change requirements in user templates.
• DataProvider: preserve the initial sort order for related resources (such as folders and groups), improving compatibility and predictability when managing them with Terraform.
• Various internal refactoring, bug fixes, and minor improvements.

Bug Fixes

• OIDC: allow login if the password method is disabled.
• OIDC: ensure token username adheres to configured naming conventions.

Backward incompatible changes

• Removed Git support. Hosting Git repositories over SSH falls outside the intended scope of a file transfer solution, and the use of external commands introduces unnecessary security risks by increasing the attack surface. For example, a user could upload a Git repository containing custom hooks to their SFTPGo folder; when they push to the repository, a Git pre-receive hook shell script would be executed with the privileges of the sftpgo user. Thanks to @hyperreality for the detailed report.
• Removed rsync support. In the previous versions, rsync was executed as an external command, which means we have no insight into or control over what it actually does. From a security perspective, this is far from ideal. To be clear, there's nothing inherently wrong with rsync itself. However, if we were to support it properly within SFTPGo, we would need to implement the low-level protocol internally rather than relying on launching an external process. This would ensure it works seamlessly with any storage backend, just as SFTP does, for example. We recommend using one of the many alternatives that rely on the SFTP protocol, such as rclone.
• Remove startsubsys command: SFTPGo is not designed to be used as an OpenSSH subsystem: many features do not work correctly in subsystem mode. The functionality was added after a user request in the pkg/sftp repository to demonstrate that it was feasible using pkg/sftp, not for actual practical use.
• Removed legacy data retention REST API, use the EventManager instead.
• EventManager: Placeholder names must now use the format {{.VirtualPath}} (previously {{VirtualPath}}). Existing placeholders are automatically converted during update.

Windows binaries

Starting with this release, Windows binaries for SFTPGo will no longer be signed.
Over the past year, we’ve been using Azure Trusted Signing to obtain a personal code signing certificate. Unfortunately, due to changes in Azure’s policies, renewing that certificate is no longer possible.

For this release, I manually downloaded and signed the Windows installer generated via GitHub Actions using a new company certificate, which required offline signing. However, the binaries included in the installer are not individually signed.

Since manually downloading and signing each new installer is not a sustainable process, future Windows releases may be distributed without code signing.

We understand that signed binaries can make installation easier and build trust, and we’ll keep evaluating possible solutions for automated and transparent signing in the future.

• Update golang.org/x/crypto/ssh to v0.35.0 to fix CVE-2025-22869
• CI: switch to Go 1.23

New Features

• EventManager: added placeholders for year, month, day, hour, minute.
• Data provider: added link to upgrade documentation if upgrade fails because version is too old.

Bug Fixes

• rsync: enforce a supported format and limit the allowed options. CVE-2025-24366. Thanks to @ateamjkr for reporting.
• WebUIs: fix for scrollbar not displaying in navigation sidebar.

Bug Fixes

• OIDC session cookie: use a cryptographically secure opaque random string, as we already do in all other security-sensitive code in SFTPGo. CVE-2024-52801. Thanks to @denisvr72 for reporting.
• EventManager: fix connection leak when performing file operations on a third-party SFTP server, for example, to copy a file to another SFTP server after an upload.

CI

• Switch to Azure Trusted Signing to sign Windows binaries.

New features

• EventManager: system commands are disabled by default and an allow list has been added to explicitly define which ones are allowed. CVE-2024-52309. Thanks to @hyperreality for reporting.
• EventManager: add {{EscapedVirtualPath}} placeholder.
• EventManager: add {{DateTime}} placeholder.

Bug Fixes

• WebAdmin: check CSRF header when deleting blocked hosts in the same way we already do for all other state-changing endpoints.
• WebAdmin: correctly display multiple active connections for the same session.
• WebClient: improve readability of upload progress.
• Plugins: fix passing additional environment variables.

Backward incompatible changes

If you rely on EventManager to execute system commands, you should add the commands to the allowed list like this:

SFTPGO_COMMON__EVENT_MANAGER__ENABLED_COMMANDS="/bin/command1,/usr/bin/command2"

The following admin permissions have been removed:

• manage_admins
• manage_apikeys
• manage_system
• retention_checks
• manage_event_rules
• manage_roles
• manage_ip_lists

Now you need to add the * permission to replace the removed granular permissions because the removed permissions allow actions that should only be allowed to super administrators.
For example, you can define an administrator with the manage_system permission and not with the manage_admins or manage_user permission, but the manage_system permission allows you to restore a backup and then create users and administrators.
There is no point in having separate, overlapping permissions.

Bug Fixes

• Update chi router to v5.0.14 to fix a bug with the compressor handler. It may affect our WebDAV implementation. More details.

New features

• Defender: allow to impose a delay between login attempts.
• SSH: allow to configure minimum key size for DHGEX.
• Transfer logs: add error field.
• Logs: redact plugin arguments, they may contain sensitive data.
• Web UIs: added robots meta tag to prevent pages from appearing in search results.

Bug fixes

• Web UIs reset password: add proper access control. Fixes CVE-2024-37897.
• Web UIs: fixed several minor CSS and rendering issues.
• EventManager: fix ObjectDataString placeholder for provider events.
• Windows installer: set the minimum version to Windows 10 or Windows Server 2016. See Go minimum requirements. SFTPGo 2.6.x is compiled using Go 1.22.x.

New features

• Rewritten WebClient and WebAdmin UIs: we hope you find these new user interfaces more modern and easier to use. They also include a dark mode. Thank you to KeenThemes for granting us a custom license to use their amazing Mega Bundle for the new SFTPGo UIs.
• Documentation moved to sftpgo.github.io. The documentation source has been moved to this repository.
• Notifier plugin: add login succeeded events.
• Add time-based access restrictions.
• EventManager: allow to disable or delete inactive users.
• WebAdmin: allow to require password change and two-factor authentication also for admins.
• WebUIs: add experimental support for internazionalization.
• HTTP, WebDAV: allow to enable HTTP/2.
• Several bug fixes, minor features and performance improvements.

Features added to golang/x/crypto/ssh

This version benefits from some features I added to golang/x/crypto/ssh.

• Expose negotiated algorithms so that they can be logged.
• Add server side multi-step authentication. We were using an out of tree patch in previous versions.
• Add server side support for Diffie Hellman Group Exchange KEX. We were using an out of tree patch in previous versions.
• Allow to restrict allowed algorithms for public key authentication.

My work on golang/x/crypto/ssh is funded by @FiloSottile's clients. Thank you!!!

File transfer errors

Some errors for failed file transfers may reveal more information than necessary such as the actual filesystem path.
These errors are now filtered and the filesystem path is replaced with the virtual path.

Thanks to @nezzzumi for reporting this issue.

Backward incompatible changes

• The configuration file changed in a backward incompatible way. If you are modifying the configuration file instead of setting your customization via environment variables, make sure to adapt it to the new version.
• Removed support for the metadata plugin because it is very slow and memory intensive with folders containing millions of files. We will look to add metadata support again in the future, in a smarter way, if companies using SFTPGo are interested enough to fund this work.
• Data retention: removed ignore_user_permissions. This is the default now.
• RSA certificates/keys less than 2048 bits are no longer accepted.
• SSH: removed moduli files. Diffie Hellman Group Exchange KEX is now built-in. No external moduli files are required.
• Environment variables passed to plugins must respect a name convention: if the plugin name is named, for example, sftpgo-plugin-eventsearch only environment variables starting with SFTPGO_PLUGIN_EVENTSEARCH_ will be made available to the plugin.
• Removed support for diffie-hellman-group18-sha512 KEX because our previous implementation was too slow to be useful.
• Virtual folders returned along with users by external authentication hooks/plugins must exist.
• EventManager: in previous releases we tried to automatically detect whether {{ObjectData}} should be a JSON object or a JSON escaped string. This proved problematic and error prone, you now need to explicitly use {{ObjectDataString}} if you need a JSON escaped string.
• Web UIs branding: logo is now also used on the login page as the image is much smaller than in v2.5.x. A separate login image is no longer supported.

Contributions

We now require to agree to our Contributor License Agreement to accept contributions.
The CLA is based on a standard Apache ICLA.
Agreeing to the CLA explicitly states that you are entitled to provide a contribution and that you cannot withdraw permission to use your contribution at a later date. This removes any ambiguities or uncertainties.

Some past contributors did not respond to our request to sign the CLA or were unable to sign it, so we have rewritten or removed their contributions. The following (minor) features have been removed:

• redirecting output from external programs in SFTPGo logs.
• robots.txt endpoint.
• reading data provider username and password from file. This feature was never included in a stable release.
• support for having a different folder prefix for SFTP and FTP. The same can be achieved using a pre-login hook.

Bug Fixes

• Update golang/x/crypto/ssh to v0.17.0. Fixes CVE-2023-48795.
• Keyboard interactive authentication: respect hook disabled setting.
• S3: fix compatibility with newer SDK versions.
• Portable mode: fix panic while validating TLS certificates.