Executive Summary

CVE-2026-54917 is a path traversal vulnerability in SeaweedFS affecting the S3 API gateway and Iceberg REST catalog gateway. The issue arises because the routers are configured with path cleaning disabled (SkipClean(true)), allowing URL segments like ".." to survive routing. This means a request such as GET /bucket-A/../evil-bucket/key is interpreted as accessing bucket-A with an object key containing "../evil-bucket/key". When the server processes this path, it collapses the ".." segment, causing the operation to actually target the evil-bucket instead of bucket-A.

Even with authentication enabled, the IAM policy evaluation uses the original bucket name (bucket-A), but the actual read or write happens on the traversed bucket (evil-bucket), creating an authorization confused-deputy scenario. This breaks tenant isolation and allows unauthorized access to other buckets.

The vulnerability affects all versions prior to 4.30 and is fixed by introducing centralized path-validation middleware that rejects unsafe path segments such as ".", "..", NUL bytes, or embedded slashes/backslashes in path variables before any handler processes them.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-54917 allows unauthorized cross-bucket access due to a path traversal vulnerability in SeaweedFS. This breaks tenant isolation by enabling attackers to read or write data in buckets they should not have access to, even when authentication is enabled.

Such unauthorized access to data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict access controls and tenant data isolation to protect sensitive information.

The vulnerability creates an authorization confused-deputy scenario where IAM policies are evaluated against the original bucket but the actual I/O operations target a different bucket, undermining the effectiveness of access controls.

Therefore, until patched, systems using vulnerable versions of SeaweedFS may fail to comply with regulatory requirements for data confidentiality, integrity, and tenant isolation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access and modification of data in other buckets within the SeaweedFS storage system. An attacker can exploit the path traversal to read or write data in buckets they should not have access to.

If authentication is disabled, attackers can directly access other buckets without restriction. If authentication is enabled, the vulnerability causes an authorization confused-deputy problem where access control checks are performed on the original bucket, but the actual operation targets a different bucket, effectively bypassing tenant isolation.

This can lead to data breaches, data corruption, or unauthorized data manipulation, compromising the confidentiality and integrity of stored data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for HTTP requests that contain path traversal sequences such as "../" or their encoded variants like "%2e%2e" in the URL paths targeting the SeaweedFS S3 or Iceberg REST APIs.

You can use network monitoring or web server logs to search for suspicious requests. For example, using command-line tools to scan logs or live traffic for such patterns:

• Using grep on access logs: grep -E '\.\./|%2e%2e' /path/to/seaweedfs/access.log
• Using tcpdump or tshark to capture HTTP requests and filter for traversal patterns in URLs.
• Deploying a reverse proxy or WAF with rules to detect and block requests containing ".." or encoded traversal sequences.

Additionally, enabling detailed logging and reviewing rejected requests by the validation middleware (if patched) can help detect attempts to exploit this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade SeaweedFS to version 4.30 or later, where the vulnerability is fixed by introducing centralized path-validation middleware that rejects unsafe path segments such as "..", ".", NUL bytes, and embedded slashes or backslashes in path variables.

If upgrading immediately is not possible, a temporary workaround is to deploy a reverse proxy in front of the SeaweedFS S3 and Iceberg REST APIs that normalizes paths and blocks requests containing path traversal sequences.

Disabling authentication is not a mitigation and should be avoided, as it removes the only remaining protection and makes the system more vulnerable.

Also, ensure logging middleware is configured to capture rejected requests for auditing and monitoring purposes.

Useful 0 Not Useful 0