Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-accessible SigV4 API with trivial crafting (AC:L); authenticated S3 user required (PR:L); only admin metadata enumeration, no data or integrity impact (C:L/I:N/A:N).
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
SeaweedFS is a distributed storage system. In versions 4.08 through 4.33, requests signed with SigV4 service s3tables are routed to the S3Tables management API where authorization collapses account-less S3 identities into the shared admin account and fails open, allowing an authenticated low-privileged S3 user to enumerate administrator-owned table bucket names and ARNs. This issue is fixed in version 4.34.
AnalysisAI
Authorization collapse in SeaweedFS 4.08-4.33 allows any authenticated low-privileged S3 user to enumerate administrator-owned S3 table bucket names and ARNs via a SigV4 routing flaw. Requests signed with service identifier 'S3Tables' are misrouted to the S3Tables management API, where the authorization logic fails open by collapsing account-less S3 identities into the shared admin account, effectively granting read access to admin-scoped metadata. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must possess a valid, authenticated S3 user account on the target SeaweedFS instance - any privilege level is sufficient (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.3 score and vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately characterize this as a moderate-severity information-disclosure issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid but low-privileged S3 account on a SeaweedFS instance crafts a SigV4-signed HTTP request specifying 's3tables' as the service identifier. The misrouted request reaches the S3Tables management API where the authorization check incorrectly maps the attacker's account-less identity to the shared admin account and permits the call. … |
| Remediation | Upgrade SeaweedFS to version 4.34 or later, which contains the vendor-released patch (commit b13463880c1fa62e255c058a9228b63cc95b4b36). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42286