CVE-2026-42882
Authentication Bypass in s3-proxy via Path Traversal
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oxyno-zeta | s3-proxy | to 5.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42882 is an authentication bypass vulnerability in the oxyno-zeta/s3-proxy project, an AWS S3 proxy written in Go. The issue arises because the authentication middleware and the bucket handler interpret URL paths differently: the middleware checks the percent-encoded request URI, while the bucket handler uses the decoded path. This mismatch allows attackers to bypass authentication and access protected S3 namespaces.
- Attackers can exploit this by using wildcard patterns (*) that match across path separators, enabling path traversal to protected routes.
- They can use percent-encoded slashes (%2F) to collapse multiple path segments into one at the authentication layer, while the bucket handler sees them as separate segments, bypassing access controls.
- They can also use dot-dot segments (../) under certain prefix patterns, where the raw path appears open but resolves to a protected path after decoding.
These techniques allow unauthenticated attackers with network access to perform unauthorized PUT, GET, or DELETE operations on objects in protected S3 namespaces.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows unauthenticated attackers to bypass authentication controls and directly manipulate objects in protected S3 namespaces.
- Attackers can write (PUT) unauthorized data to your S3 buckets, potentially injecting malicious or unwanted content.
- They can read (GET) sensitive or confidential data stored in protected buckets without any authentication.
- They can delete (DELETE) important objects, leading to data loss or disruption of services.
Overall, this leads to a high risk of data breach, data integrity loss, and service availability issues.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying unauthorized access attempts exploiting path traversal, percent-encoded slashes, or wildcard patterns to bypass authentication in s3-proxy.
You can monitor HTTP requests to the s3-proxy server for suspicious patterns such as:
- Requests containing path traversal sequences like '../' or their percent-encoded equivalents (%2E%2E, %2F).
- Requests using wildcard patterns that match across path separators, e.g., paths with '*' or '**' that access protected namespaces.
- Requests with percent-encoded slashes (%2F) that could collapse multiple path segments into one.
Suggested commands to detect such attempts include using network traffic inspection tools or web server logs with grep or similar tools. For example:
- grep -E '\.\./|%2E%2E|%2F' /var/log/s3-proxy/access.log
- tcpdump or Wireshark filters to capture HTTP requests containing suspicious path traversal or encoded characters.
- Using custom scripts or intrusion detection systems to flag requests with unusual URL encodings or wildcard usage.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading s3-proxy to version 5.0.0 or later, where the vulnerability is fixed.
The fixes involve:
- Applying a middleware that rejects path traversal attempts by fully decoding and normalizing paths before authentication (RejectTraversal middleware).
- Changing glob pattern compilation to use '/' as a separator so that '*' matches only single path segments, preventing wildcard abuse.
- Ensuring authentication middleware and bucket handler use consistent path interpretations, preferably using the raw path in both to preserve namespace separation.
Additionally, review and update resource path configurations to comply with the new glob pattern behavior, and monitor for any unauthorized access attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-42882 allows unauthenticated attackers to perform unauthorized PUT, GET, or DELETE operations on objects in protected S3 namespaces due to authentication bypass. This unauthorized access to protected data could lead to violations of data protection regulations such as GDPR or HIPAA, which require strict controls on access to sensitive personal or health information.
Because the vulnerability enables attackers to read, write, or delete protected data without authentication, organizations using affected versions of s3-proxy may fail to maintain confidentiality, integrity, and availability of sensitive data, potentially resulting in non-compliance with regulatory requirements.