Skip to main content

SeaweedFS CVE-2026-55873

| EUVDEUVD-2026-42286 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-08 security-advisories@github.com
4.3
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible SigV4 API with trivial crafting (AC:L); authenticated S3 user required (PR:L); only admin metadata enumeration, no data or integrity impact (C:L/I:N/A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 16:05 vuln.today
Patch available
Jul 08, 2026 - 16:01 EUVD

DescriptionCVE.org

SeaweedFS is a distributed storage system. In versions 4.08 through 4.33, requests signed with SigV4 service s3tables are routed to the S3Tables management API where authorization collapses account-less S3 identities into the shared admin account and fails open, allowing an authenticated low-privileged S3 user to enumerate administrator-owned table bucket names and ARNs. This issue is fixed in version 4.34.

AnalysisAI

Authorization collapse in SeaweedFS 4.08-4.33 allows any authenticated low-privileged S3 user to enumerate administrator-owned S3 table bucket names and ARNs via a SigV4 routing flaw. Requests signed with service identifier 'S3Tables' are misrouted to the S3Tables management API, where the authorization logic fails open by collapsing account-less S3 identities into the shared admin account, effectively granting read access to admin-scoped metadata. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid low-privileged S3 credentials
Delivery
Craft SigV4 request with s3tables service identifier
Exploit
Request misrouted to S3Tables management API
Execution
Authorization collapses identity to shared admin account
Impact
Enumerate admin-owned table bucket names and ARNs

Vulnerability AssessmentAI

Exploitation The attacker must possess a valid, authenticated S3 user account on the target SeaweedFS instance - any privilege level is sufficient (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.3 score and vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately characterize this as a moderate-severity information-disclosure issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid but low-privileged S3 account on a SeaweedFS instance crafts a SigV4-signed HTTP request specifying 's3tables' as the service identifier. The misrouted request reaches the S3Tables management API where the authorization check incorrectly maps the attacker's account-less identity to the shared admin account and permits the call. …
Remediation Upgrade SeaweedFS to version 4.34 or later, which contains the vendor-released patch (commit b13463880c1fa62e255c058a9228b63cc95b4b36). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55873 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy