CVE-2026-55874
Deferred Deferred - Pending Action

Path Traversal in SeaweedFS S3 API Gateway

Vulnerability report for CVE-2026-55874, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side copy. This issue is fixed in version 4.34.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
seaweedfs seaweedfs to 4.34 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-55874 vulnerability in SeaweedFS is a path traversal issue in the S3 API gateway's X-Amz-Copy-Source header. This header is used in CopyObject and UploadPartCopy operations. Prior to version 4.34, the system did not properly reject path segments like ".." in this header, which allowed an authenticated user scoped to one bucket to read objects from other buckets.

This flaw enables a confused-deputy authorization bypass, meaning an identity restricted to a single bucket could access data in other buckets by exploiting the lack of validation in the copy source path. The vulnerability affects confidentiality by allowing unauthorized access to sensitive data across buckets.

The issue was partially addressed in version 4.30 for request URL paths but remained in the X-Amz-Copy-Source header until fixed in version 4.34.

Impact Analysis

This vulnerability can impact you by allowing an attacker with authenticated access to one bucket to read objects from other buckets that they should not have access to. This breaks the intended bucket isolation and confidentiality of stored data.

Because the attacker can exploit the CopyObject and UploadPartCopy operations to access data across buckets, sensitive information could be exposed to unauthorized users.

The CVSS score of 7.7 (High) indicates a significant risk, with a network attack vector, low attack complexity, and requiring only low privileges.

Users are advised to upgrade to SeaweedFS version 4.34 or later or implement a reverse proxy workaround to filter malicious headers to mitigate this risk.

Detection Guidance

This vulnerability involves exploitation of the X-Amz-Copy-Source header in S3 API requests to perform path traversal attacks. Detection can focus on monitoring network traffic or logs for suspicious CopyObject or UploadPartCopy requests containing path traversal sequences such as ".." in the X-Amz-Copy-Source header.

  • Inspect HTTP requests to the SeaweedFS S3 gateway for the presence of ".." or encoded equivalents (e.g., %2e%2e) in the X-Amz-Copy-Source header.
  • Use network packet capture tools like tcpdump or Wireshark to filter for S3 API calls and analyze headers for traversal patterns.
  • Example command to capture HTTP traffic on port 8333 (default SeaweedFS S3 port) and filter for suspicious headers: tcpdump -A -s 0 'tcp port 8333 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'X-Amz-Copy-Source'
  • Search server logs for requests with X-Amz-Copy-Source headers containing ".." sequences.
Mitigation Strategies

The primary mitigation is to upgrade SeaweedFS to version 4.34 or later, where the vulnerability is fixed by validating the X-Amz-Copy-Source header to reject path traversal sequences.

If immediate upgrade is not possible, implement a reverse proxy or firewall rule to filter and block requests containing suspicious X-Amz-Copy-Source headers with path traversal patterns such as "..".

Review and restrict permissions for identities scoped to buckets to minimize potential impact.

Compliance Impact

The vulnerability in SeaweedFS allows an authenticated user scoped to one bucket to read objects from other buckets due to improper validation of the X-Amz-Copy-Source header. This leads to unauthorized access to sensitive data across buckets, impacting data confidentiality.

Such unauthorized data access can result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls on data confidentiality and access restrictions.

Organizations using affected versions of SeaweedFS prior to 4.34 may risk violating these regulations if sensitive data is exposed due to this vulnerability.

To maintain compliance, it is critical to upgrade to SeaweedFS version 4.34 or later, where the vulnerability is fixed, or implement mitigating controls such as reverse proxy filtering to prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55874. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart