Path Traversal in SeaweedFS S3 Gateway

Impact Analysis

This vulnerability can have serious impacts by allowing an authenticated user with write access to one bucket to delete arbitrary objects in other tenants' buckets. This breaks tenant isolation and can lead to data loss across multiple users or customers sharing the same SeaweedFS deployment.

Because the attacker can bypass authorization controls, they can cause unauthorized deletions, potentially disrupting services, causing loss of critical data, and undermining trust in the storage system's security.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-58372 is a path traversal vulnerability in SeaweedFS versions before 4.34, specifically in the S3 gateway's DeleteMultipleObjectsHandler. Authenticated S3 users with write access to a single bucket can exploit this flaw by including directory traversal sequences (../) in the DeleteObjects XML request body. This allows them to delete objects in other tenants' buckets, bypassing authorization controls. The root cause is that the validateRequestPath middleware only checks URL path variables and does not validate keys in the request body, enabling attackers to manipulate the filer path to escape the authorized bucket.

The vulnerability arises from a confused deputy condition where the system authorizes based on the URL path but performs deletion based on the request body keys, which can contain traversal sequences. This leads to unauthorized deletion of objects outside the user's permitted bucket.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves path traversal sequences (../) in the DeleteObjects XML request body sent to the SeaweedFS S3 gateway's DeleteMultipleObjectsHandler. Detection can focus on monitoring S3 DeleteObjects requests for suspicious object keys containing directory traversal patterns.

You can detect potential exploitation attempts by inspecting logs or network traffic for DeleteObjects requests with object keys that include '../' sequences.

• Use network packet capture tools (e.g., tcpdump or Wireshark) to filter HTTP requests to the S3 gateway and search for DeleteObjects XML bodies containing '../'.
• Example tcpdump command to capture HTTP POST requests to the S3 gateway (assuming default port 8333): tcpdump -A -s 0 'tcp port 8333 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'DeleteObjects'
• Extract and analyze the XML payloads from captured traffic or logs to identify object keys containing '../' sequences.

Additionally, review application logs for any DeleteObjects requests where object keys contain suspicious path traversal patterns.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade SeaweedFS to version 4.34 or later, where the vulnerability has been fixed by comprehensive input validation and path safety enforcement.

The fix includes rejecting unsafe path components in the S3 API, Iceberg, and Filer services, validating all paths touched by requests before processing, and enforcing scoped filesystem access.

Until you can upgrade, consider monitoring and blocking DeleteObjects requests containing directory traversal sequences in the request body.

Review and tighten IAM policies to limit write access to only necessary buckets and users.

Implement network-level controls such as reverse proxies or WAF rules to detect and block requests with suspicious path traversal patterns in the DeleteObjects XML body.

Useful 0 Not Useful 0