TensorZero Gateway CVE-2026-54457
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Default TensorZero deployments run without authentication so PR:N is the realistic worst case; network low-complexity file read plus SSRF pivot gives S:C and C:H with no integrity/availability impact.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 6 pypi packages depend on tensorzero (4 direct, 2 indirect)
Ecosystem-wide dependent count for version 2026.6.0.
DescriptionGitHub Advisory
Impact
The /internal/object_storage endpoint accepts a caller-supplied JSON storage_path parameter that dynamically overrides the TensorZero [object_storage] configuration.
By abusing the filesystem storage type, a caller can read arbitrary files from the gateway filesystem, including files that may contain sensitive credentials. Similarly, by abusing the s3_compatible storage type, the caller can coerce the gateway into making outbound object storage requests to attacker-chosen internal/cloud-metadata endpoints.
This vulnerability only applies when the gateway can be accessed by untrusted callers. If a developer's TensorZero deployment has authentication enabled, only authenticated callers can exploit this vulnerability. If a developer's deployment has authentication disabled, any caller can exploit this vulnerability.
Remediation
The vulnerability has been patched in version 2026.6.0. See PR #7527.
Workarounds
If developers are unable to upgrade a gateway that is exposed to untrusted callers, please block external access to the /internal/object_storage endpoint.
AnalysisAI
Arbitrary file read and server-side request forgery in TensorZero Gateway (pip package tensorzero, versions < 2026.6.0) let callers of the /internal/object_storage endpoint override the gateway's [object_storage] configuration via a caller-supplied storage_path JSON parameter. Using the filesystem storage type an attacker reads arbitrary files (including credential files) from the gateway host, while the s3_compatible type coerces the gateway into outbound requests to attacker-chosen internal or cloud-metadata endpoints. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires network reachability to the gateway's /internal/object_storage endpoint and the ability to send a JSON body containing a storage_path that overrides [object_storage]; abuse of the filesystem type enables arbitrary file read and abuse of the s3_compatible type enables SSRF to attacker-chosen internal/cloud-metadata endpoints. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (7.7 High) describes a network, low-complexity attack with a scope change (S:C, reflecting the SSRF pivot into internal/metadata systems) and high confidentiality impact, no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach an unauthenticated TensorZero gateway sends a request to /internal/object_storage with a JSON storage_path that sets the filesystem storage type and points at a sensitive path (for example a config or credentials file), retrieving its contents. Alternatively they set the s3_compatible type with an endpoint of http://169.254.169.254/ to make the gateway fetch cloud instance-metadata and harvest temporary IAM credentials. … |
| Remediation | Vendor-released patch: upgrade the tensorzero package to version 2026.6.0 or later (fix in commit 0abbc838 / PR #7527), per advisory GHSA-824w-x939-6cmc and release https://github.com/tensorzero/tensorzero/releases/tag/2026.6.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running tensorzero versions prior to 2026.6.0 and assess network accessibility of the /internal/object_storage endpoint. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-824w-x939-6cmc