Skip to main content

SeaweedFS CVE-2026-54917

| EUVDEUVD-2026-39535 HIGH
Path Traversal (CWE-22)
2026-06-25 GitHub_M
7.8
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable gateway with low-complexity '..' payload; PR:L reflects that S3/Iceberg requests are normally authenticated, and cross-bucket read/write gives high C and I with no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 20:03 EUVD
Source Code Evidence Fetched
Jun 25, 2026 - 19:15 vuln.today
Analysis Generated
Jun 25, 2026 - 19:15 vuln.today

DescriptionCVE.org

SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST catalog gateway construct their routers with mux.NewRouter().SkipClean(true). With path cleaning disabled, a .. segment inside the URL survives routing, so a request such as GET /bucket-A/../evil-bucket/key, is matched as bucket=bucket-A, object=../evil-bucket/key. The captured object key is then joined into a filer path with util.JoinPath (S3) / path.Join (Iceberg), which collapse the .. server-side, so the actual read or write lands in evil-bucket. This vulnerability is fixed in 4.30.

AnalysisAI

Cross-bucket read/write in SeaweedFS before 4.30 lets remote attackers escape a bucket's namespace because the S3 API gateway and the Iceberg REST catalog gateway build their gorilla/mux routers with SkipClean(true), letting a literal '..' segment survive routing before downstream path joins collapse it server-side. A request like 'GET /bucket-A/../evil-bucket/key' is routed as bucket=bucket-A but resolves to evil-bucket, allowing an actor to read or write objects in buckets they should not reach. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach SeaweedFS S3/Iceberg gateway
Delivery
Craft URL with '..' segment
Exploit
mux SkipClean preserves traversal
Execution
path.Join collapses to other bucket
Persist
Read or write evil-bucket objects
Impact
Cross-bucket data theft or tampering

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target run the SeaweedFS S3 API gateway and/or the Iceberg REST catalog gateway, which in versions before 4.30 are constructed with mux.NewRouter().SkipClean(true) - that non-collapsing router setting IS the enabling condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) with subsequent-system impact SC:H/SI:H (base 7.8 / High) describes a network-reachable, low-complexity attack with high integrity and confidentiality consequences for adjacent buckets. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An actor with access to the S3 gateway sends 'GET /bucket-A/../evil-bucket/key' (or the Iceberg equivalent with a '..' namespace/table segment); mux's SkipClean(true) preserves the '..', and util.JoinPath/path.Join then collapse it so the read lands in evil-bucket instead of bucket-A. The same trick with a PUT writes attacker-controlled data into another bucket, enabling cross-bucket data theft or tampering. …
Remediation Vendor-released patch: upgrade SeaweedFS to 4.30 or later, which adds router-level path validation that rejects '..', '.', embedded slashes/backslashes, NUL, and malformed unit-separator namespace segments before they reach the filer path joins (per PR https://github.com/seaweedfs/seaweedfs/pull/9687 and advisory https://github.com/seaweedfs/seaweedfs/security/advisories/GHSA-w62w-66v9-vvgv). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all SeaweedFS deployments and confirm version numbers; audit which versions are 4.29 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54917 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy