Skip to main content

SeaweedFS EUVDEUVD-2026-42285

| CVE-2026-55874 HIGH
Path Traversal (CWE-22)
2026-07-08 security-advisories@github.com
7.7
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.7 HIGH

Network-reachable S3 API, low complexity, requires a valid bucket-scoped identity (PR:L); scope changes as the caller crosses its authorization boundary, yielding high confidentiality only with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 16:01 EUVD
Analysis Generated
Jul 08, 2026 - 15:40 vuln.today

DescriptionCVE.org

SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side copy. This issue is fixed in version 4.34.

AnalysisAI

Cross-bucket object disclosure in SeaweedFS S3 API gateway (versions prior to 4.34) allows an authenticated identity scoped to a single bucket to read objects from other buckets by injecting dot-dot (../) path segments into the X-Amz-Copy-Source header of CopyObject and UploadPartCopy requests. Because the gateway performs a server-side copy without normalizing or rejecting traversal segments, the bucket-level access boundary is bypassed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid bucket-scoped S3 credentials
Delivery
Craft CopyObject with dot-dot X-Amz-Copy-Source
Exploit
Gateway resolves path across bucket boundary
Execution
Server-side copy reads foreign bucket object
Impact
Exfiltrate other tenants' data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid SeaweedFS S3 identity (PR:L authenticated per the CVSS vector) that is scoped to at least one bucket, and the deployment must expose the S3 API gateway with CopyObject and/or UploadPartCopy operations reachable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, base 7.7 High) is internally consistent and credible: the attack is network-reachable, low-complexity, requires low privilege (a valid but bucket-scoped S3 identity), needs no user interaction, and produces a changed-scope high-confidentiality impact - precisely matching a tenant escaping its bucket boundary to read other tenants' data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A tenant is issued S3 credentials scoped only to their own bucket in a shared SeaweedFS deployment. They send a CopyObject (or UploadPartCopy) request with an X-Amz-Copy-Source header like 'my-bucket/../victim-bucket/secret.key', and the gateway resolves the dot-dot segment to fetch the target object from another tenant's bucket into a location they control, disclosing its contents. …
Remediation Vendor-released patch: SeaweedFS 4.34 - upgrade the S3 gateway and associated components to 4.34 or later (https://github.com/seaweedfs/seaweedfs/releases/tag/4.34), which rejects dot-dot path segments in the X-Amz-Copy-Source header; the underlying fix is in pull request https://github.com/seaweedfs/seaweedfs/pull/9929 and commit b44cf51fe931bd75aa4d37ae766bea90d7f85ccd. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all SeaweedFS deployments and identify instances running versions prior to 4.34. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42285 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy