Withdrawn: The attack vector described in the backing report required that an attacker gain access to a user's session cookie. By gaining access to the session cookie the attacker is for all intents and purposes the valid user and any access to user data would be expected.
~In SFTPGo 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.~