CVE-2026-42882
Received Received - Intake
Authentication Bypass in s3-proxy via Path Traversal

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware and the bucket handler. The authentication middleware evaluates resource path patterns against the percent-encoded request URI (r.URL.RequestURI()), while the bucket handler constructs S3 object keys from the decoded path (r.URL.Path). This mismatch, combined with the glob library being invoked without a path separator (causing * to match across / boundaries), allows unauthenticated attackers to write to, read from, or delete objects in protected S3 namespaces. Exploitation is possible via three techniques: (1) using * patterns that match across path separators to reach protected routes via path traversal (e.g., /open/foo/drafts/../restricted/), (2) using percent-encoded slashes (%2F) to collapse multiple path segments into a single token at the auth layer while the decoded form resolves to a protected namespace at the storage layer, and (3) using dot-dot segments (../) under ** prefix patterns, where the raw path matches an open route while Go's URL parser resolves the traversal to a protected path before the bucket handler runs. An unauthenticated attacker with network access can perform unauthorized PUT, GET, or DELETE operations on objects in authentication-protected S3 namespaces. This vulnerability is fixed in 5.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-42882
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oxyno-zeta s3-proxy to 5.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-42882 allows unauthenticated attackers to perform unauthorized PUT, GET, or DELETE operations on objects in protected S3 namespaces due to authentication bypass. This unauthorized access to protected data could lead to violations of data protection regulations such as GDPR or HIPAA, which require strict controls on access to sensitive personal or health information.

Because the vulnerability enables attackers to read, write, or delete protected data without authentication, organizations using affected versions of s3-proxy may fail to maintain confidentiality, integrity, and availability of sensitive data, potentially resulting in non-compliance with regulatory requirements.

Executive Summary

CVE-2026-42882 is an authentication bypass vulnerability in the oxyno-zeta/s3-proxy project, an AWS S3 proxy written in Go. The issue arises because the authentication middleware and the bucket handler interpret URL paths differently: the middleware checks the percent-encoded request URI, while the bucket handler uses the decoded path. This mismatch allows attackers to bypass authentication and access protected S3 namespaces.

  • Attackers can exploit this by using wildcard patterns (*) that match across path separators, enabling path traversal to protected routes.
  • They can use percent-encoded slashes (%2F) to collapse multiple path segments into one at the authentication layer, while the bucket handler sees them as separate segments, bypassing access controls.
  • They can also use dot-dot segments (../) under certain prefix patterns, where the raw path appears open but resolves to a protected path after decoding.

These techniques allow unauthenticated attackers with network access to perform unauthorized PUT, GET, or DELETE operations on objects in protected S3 namespaces.

Impact Analysis

This vulnerability can have severe impacts because it allows unauthenticated attackers to bypass authentication controls and directly manipulate objects in protected S3 namespaces.

  • Attackers can write (PUT) unauthorized data to your S3 buckets, potentially injecting malicious or unwanted content.
  • They can read (GET) sensitive or confidential data stored in protected buckets without any authentication.
  • They can delete (DELETE) important objects, leading to data loss or disruption of services.

Overall, this leads to a high risk of data breach, data integrity loss, and service availability issues.

Detection Guidance

Detection of this vulnerability involves identifying unauthorized access attempts exploiting path traversal, percent-encoded slashes, or wildcard patterns to bypass authentication in s3-proxy.

You can monitor HTTP requests to the s3-proxy server for suspicious patterns such as:

  • Requests containing path traversal sequences like '../' or their percent-encoded equivalents (%2E%2E, %2F).
  • Requests using wildcard patterns that match across path separators, e.g., paths with '*' or '**' that access protected namespaces.
  • Requests with percent-encoded slashes (%2F) that could collapse multiple path segments into one.

Suggested commands to detect such attempts include using network traffic inspection tools or web server logs with grep or similar tools. For example:

  • grep -E '\.\./|%2E%2E|%2F' /var/log/s3-proxy/access.log
  • tcpdump or Wireshark filters to capture HTTP requests containing suspicious path traversal or encoded characters.
  • Using custom scripts or intrusion detection systems to flag requests with unusual URL encodings or wildcard usage.
Mitigation Strategies

Immediate mitigation steps include upgrading s3-proxy to version 5.0.0 or later, where the vulnerability is fixed.

The fixes involve:

  • Applying a middleware that rejects path traversal attempts by fully decoding and normalizing paths before authentication (RejectTraversal middleware).
  • Changing glob pattern compilation to use '/' as a separator so that '*' matches only single path segments, preventing wildcard abuse.
  • Ensuring authentication middleware and bucket handler use consistent path interpretations, preferably using the raw path in both to preserve namespace separation.

Additionally, review and update resource path configurations to comply with the new glob pattern behavior, and monitor for any unauthorized access attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42882. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart