Skip to main content

SeaweedFS EUVDEUVD-2026-40360

| CVE-2026-58372 HIGH
Path Traversal (CWE-22)
2026-06-30 VulnCheck GHSA-9cq9-w9qm-wc9p
7.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable low-complexity delete needing only single-bucket write credentials (PR:L); no confidentiality impact (C:N), but arbitrary cross-bucket deletion yields high integrity and availability impact (I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 30, 2026 - 17:36 vuln.today
Analysis Updated
Jun 30, 2026 - 17:36 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 17:22 NVD
8.1 (HIGH) 7.2 (HIGH)
Analysis Generated
Jun 30, 2026 - 17:18 vuln.today

DescriptionCVE.org

SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the DeleteObjects XML request body. Attackers can bypass authorization controls through a confused deputy condition, as the validateRequestPath middleware only inspects URL-captured path variables and never examines request-body keys, allowing the filer path to collapse directory traversal sequences and resolve deletions outside the authorized bucket.

AnalysisAI

Cross-tenant object deletion in SeaweedFS before 4.34 lets an authenticated S3 principal holding write access to just one bucket destroy arbitrary objects in other tenants' buckets through the S3 gateway's DeleteMultipleObjectsHandler. By embedding ../ sequences in object keys inside the DeleteObjects XML request body, an attacker exploits a confused-deputy gap where path validation never inspected body keys. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain write-scoped S3 credentials for one bucket
Delivery
Craft DeleteObjects XML with ../victim-bucket/key entries
Exploit
Submit POST DeleteObjects to S3 gateway
Execution
Filer collapses traversal past validateRequestPath
Impact
Delete arbitrary cross-tenant objects

Vulnerability AssessmentAI

Exploitation Exploitation requires valid authenticated S3 credentials with write (DeleteObject) access to at least one bucket on the target SeaweedFS S3 gateway (PR:L), and the attacker must be able to send a multi-object delete (POST DeleteObjects) request whose XML body contains object keys with ../ (or encoded/backslash equivalents) traversal sequences. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a credible, near-term priority for multi-tenant SeaweedFS deployments rather than a high-CVSS-but-low-risk paper finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A SaaS platform gives each customer write credentials scoped to their own SeaweedFS bucket. A malicious tenant issues a single POST DeleteObjects request to the S3 gateway whose XML body lists keys such as ../victim-bucket/critical-object, and because body keys were never validated the filer resolves the traversal and deletes another tenant's data. …
Remediation Vendor-released patch: upgrade to SeaweedFS 4.34, which adds body-key and path-segment validation (PR https://github.com/seaweedfs/seaweedfs/pull/9931, patch commit https://github.com/seaweedfs/seaweedfs/commit/0345658ea8e7c6a3948ad190634b00866ec244c9) and is the primary fix; review GHSA-w62w-66v9-vvgv and the VulnCheck advisory before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: scan production infrastructure to identify all SeaweedFS instances, versions, and S3 gateway exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40360 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy