Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable low-complexity delete needing only single-bucket write credentials (PR:L); no confidentiality impact (C:N), but arbitrary cross-bucket deletion yields high integrity and availability impact (I:H/A:H).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the DeleteObjects XML request body. Attackers can bypass authorization controls through a confused deputy condition, as the validateRequestPath middleware only inspects URL-captured path variables and never examines request-body keys, allowing the filer path to collapse directory traversal sequences and resolve deletions outside the authorized bucket.
AnalysisAI
Cross-tenant object deletion in SeaweedFS before 4.34 lets an authenticated S3 principal holding write access to just one bucket destroy arbitrary objects in other tenants' buckets through the S3 gateway's DeleteMultipleObjectsHandler. By embedding ../ sequences in object keys inside the DeleteObjects XML request body, an attacker exploits a confused-deputy gap where path validation never inspected body keys. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires valid authenticated S3 credentials with write (DeleteObject) access to at least one bucket on the target SeaweedFS S3 gateway (PR:L), and the attacker must be able to send a multi-object delete (POST DeleteObjects) request whose XML body contains object keys with ../ (or encoded/backslash equivalents) traversal sequences. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a credible, near-term priority for multi-tenant SeaweedFS deployments rather than a high-CVSS-but-low-risk paper finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A SaaS platform gives each customer write credentials scoped to their own SeaweedFS bucket. A malicious tenant issues a single POST DeleteObjects request to the S3 gateway whose XML body lists keys such as ../victim-bucket/critical-object, and because body keys were never validated the filer resolves the traversal and deletes another tenant's data. … |
| Remediation | Vendor-released patch: upgrade to SeaweedFS 4.34, which adds body-key and path-segment validation (PR https://github.com/seaweedfs/seaweedfs/pull/9931, patch commit https://github.com/seaweedfs/seaweedfs/commit/0345658ea8e7c6a3948ad190634b00866ec244c9) and is the primary fix; review GHSA-w62w-66v9-vvgv and the VulnCheck advisory before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: scan production infrastructure to identify all SeaweedFS instances, versions, and S3 gateway exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cross-bucket read/write in SeaweedFS before 4.30 lets remote attackers escape a bucket's namespace because the S3 API ga
Unvalidated JSONP callback reflection in SeaweedFS before 4.30 enables cross-origin reads of cluster topology, volume se
seaweedfs v3.68 was discovered to contain a SQL injection vulnerability via the component /abstract_sql/abstract_sql_sto
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40360
GHSA-9cq9-w9qm-wc9p