CVE-2026-55873
Deferred Deferred - Pending Action

SigV4 S3Tables API Authorization Bypass in SeaweedFS

Vulnerability report for CVE-2026-55873, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

SeaweedFS is a distributed storage system. In versions 4.08 through 4.33, requests signed with SigV4 service s3tables are routed to the S3Tables management API where authorization collapses account-less S3 identities into the shared admin account and fails open, allowing an authenticated low-privileged S3 user to enumerate administrator-owned table bucket names and ARNs. This issue is fixed in version 4.34.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
seaweedfs seaweedfs From 4.08 (inc) to 4.33 (inc)
seaweedfs seaweedfs 4.34

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in SeaweedFS versions 4.08 through 4.33 in the S3Tables component. Requests signed with SigV4 service s3tables are routed to the S3Tables management API where authorization improperly collapses account-less S3 identities into a shared admin account. This failure causes the system to 'fail open,' allowing an authenticated low-privileged S3 user to enumerate administrator-owned table bucket names and ARNs.

The root cause is that static identities without explicit account configurations default to the shared admin account, granting unauthorized admin privileges. Additionally, the default-allow fallback mechanism was overly permissive, allowing authenticated users access without proper permission checks.

The issue was fixed in version 4.34 by improving identity-to-account mapping, restricting default-allow fallback to only unauthenticated requests, removing redundant permission gates, and enforcing explicit permission checks based on the caller's identity and action context.

Impact Analysis

This vulnerability allows a low-privileged authenticated S3 user to enumerate administrator-owned table bucket names and ARNs. This means unauthorized users can gain visibility into sensitive tenant structures and administrative resources within a multi-tenant environment.

While the vulnerability does not directly impact data integrity or availability, it exposes sensitive information that could be leveraged for further attacks or unauthorized management operations.

Because the vulnerability requires only low privileges and has low attack complexity, it poses a moderate security risk, potentially leading to unauthorized information disclosure.

Mitigation Strategies

The vulnerability in SeaweedFS versions 4.08 through 4.33 allows low-privileged authenticated S3 users to enumerate administrator-owned table buckets due to improper authorization.

The immediate and recommended mitigation step is to upgrade SeaweedFS to version 4.34 or later, where this issue is fixed.

No workaround exists for this vulnerability, so applying the official patch by upgrading is necessary.

Compliance Impact

The vulnerability in SeaweedFS versions 4.08 through 4.33 allows authenticated low-privileged S3 users to enumerate administrator-owned table bucket names and ARNs due to improper authorization. This unauthorized access to sensitive metadata could lead to exposure of tenant structures in multi-tenant environments.

Such unauthorized disclosure of administrative resource information may impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and metadata to protect privacy and confidentiality.

The issue is fixed in version 4.34 by enforcing proper authorization checks and restricting default-allow permissions, thereby reducing the risk of unauthorized access and helping maintain compliance with data protection requirements.

Detection Guidance

This vulnerability involves improper authorization in the SeaweedFS S3Tables management API, allowing low-privileged authenticated S3 users to enumerate administrator-owned table bucket names and ARNs. Detection would involve monitoring or testing for unauthorized access to the S3Tables management API endpoints, especially requests signed with SigV4 targeting actions like listing table buckets.

Since the vulnerability allows enumeration of admin-owned buckets via the ListTableBuckets operation without proper authorization, one way to detect it is to attempt to perform such requests using low-privileged S3 credentials and observe if the response includes admin-owned bucket information.

Specific commands or tools are not provided in the available resources. However, a general approach could be to use AWS CLI or compatible S3 clients configured with low-privileged credentials to send requests to the SeaweedFS S3Tables API endpoints, for example:

  • Use an S3 client to list buckets or tables: `aws s3api list-buckets --endpoint-url https://your-seaweedfs-s3-endpoint --profile lowprivuser`
  • Attempt to enumerate table buckets or ARNs via direct HTTP requests signed with SigV4 to the S3Tables management API, observing if unauthorized bucket names are returned.

Monitoring logs for unexpected access patterns or unauthorized enumeration attempts against the S3Tables API can also help detect exploitation attempts.

Ultimately, the recommended mitigation is to upgrade SeaweedFS to version 4.34 or later, where the authorization issues are fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart