Skip to main content

TensorZero Gateway CVE-2026-54457

HIGH
Files or Directories Accessible to External Parties (CWE-552)
2026-07-15 https://github.com/tensorzero/tensorzero GHSA-824w-x939-6cmc
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
8.6 HIGH

Default TensorZero deployments run without authentication so PR:N is the realistic worst case; network low-complexity file read plus SSRF pivot gives S:C and C:H with no integrity/availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 22:17 vuln.today
Analysis Generated
Jul 15, 2026 - 22:17 vuln.today
CVE Published
Jul 15, 2026 - 21:59 github-advisory
HIGH 7.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 pypi packages depend on tensorzero (4 direct, 2 indirect)

Ecosystem-wide dependent count for version 2026.6.0.

DescriptionGitHub Advisory

Impact

The /internal/object_storage endpoint accepts a caller-supplied JSON storage_path parameter that dynamically overrides the TensorZero [object_storage] configuration.

By abusing the filesystem storage type, a caller can read arbitrary files from the gateway filesystem, including files that may contain sensitive credentials. Similarly, by abusing the s3_compatible storage type, the caller can coerce the gateway into making outbound object storage requests to attacker-chosen internal/cloud-metadata endpoints.

This vulnerability only applies when the gateway can be accessed by untrusted callers. If a developer's TensorZero deployment has authentication enabled, only authenticated callers can exploit this vulnerability. If a developer's deployment has authentication disabled, any caller can exploit this vulnerability.

Remediation

The vulnerability has been patched in version 2026.6.0. See PR #7527.

Workarounds

If developers are unable to upgrade a gateway that is exposed to untrusted callers, please block external access to the /internal/object_storage endpoint.

AnalysisAI

Arbitrary file read and server-side request forgery in TensorZero Gateway (pip package tensorzero, versions < 2026.6.0) let callers of the /internal/object_storage endpoint override the gateway's [object_storage] configuration via a caller-supplied storage_path JSON parameter. Using the filesystem storage type an attacker reads arbitrary files (including credential files) from the gateway host, while the s3_compatible type coerces the gateway into outbound requests to attacker-chosen internal or cloud-metadata endpoints. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed /internal/object_storage endpoint
Delivery
Send JSON storage_path overriding object_storage config
Exploit
Select filesystem or s3_compatible backend
Execution
Read local credential files or SSRF to metadata endpoint
Persist
Harvest cloud/IAM credentials
Impact
Pivot to internal systems

Vulnerability AssessmentAI

Exploitation Requires network reachability to the gateway's /internal/object_storage endpoint and the ability to send a JSON body containing a storage_path that overrides [object_storage]; abuse of the filesystem type enables arbitrary file read and abuse of the s3_compatible type enables SSRF to attacker-chosen internal/cloud-metadata endpoints. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (7.7 High) describes a network, low-complexity attack with a scope change (S:C, reflecting the SSRF pivot into internal/metadata systems) and high confidentiality impact, no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an unauthenticated TensorZero gateway sends a request to /internal/object_storage with a JSON storage_path that sets the filesystem storage type and points at a sensitive path (for example a config or credentials file), retrieving its contents. Alternatively they set the s3_compatible type with an endpoint of http://169.254.169.254/ to make the gateway fetch cloud instance-metadata and harvest temporary IAM credentials. …
Remediation Vendor-released patch: upgrade the tensorzero package to version 2026.6.0 or later (fix in commit 0abbc838 / PR #7527), per advisory GHSA-824w-x939-6cmc and release https://github.com/tensorzero/tensorzero/releases/tag/2026.6.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running tensorzero versions prior to 2026.6.0 and assess network accessibility of the /internal/object_storage endpoint. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54457 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy