Description
oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware and the bucket handler. The authentication middleware evaluates resource path patterns against the percent-encoded request URI (r.URL.RequestURI()), while the bucket handler constructs S3 object keys from the decoded path (r.URL.Path). This mismatch, combined with the glob library being invoked without a path separator (causing * to match across / boundaries), allows unauthenticated attackers to write to, read from, or delete objects in protected S3 namespaces. Exploitation is possible via three techniques: (1) using * patterns
that match across path separators to reach protected routes via path traversal (e.g., /open/foo/drafts/../restricted/), (2) using percent-encoded slashes (%2F) to collapse multiple path segments into a single token at the auth layer while the decoded form resolves to a protected namespace at the storage layer, and (3) using dot-dot segments (../) under ** prefix patterns, where the raw path matches an open route while Go's URL parser resolves the traversal to a protected path before the bucket handler runs. An unauthenticated attacker with network access can perform unauthorized PUT, GET, or DELETE operations on objects in authentication-protected S3 namespaces. This vulnerability is fixed in 5.0.0.
Published: 2026-05-11
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authentication bypass that lets an attacker reach the authentication middleware when it interprets the percent‑encoded request URI while the bucket handler uses the decoded path, allowing the attacker to perform read, write or delete operations on S3 objects in namespaces that require authentication.

Affected Systems

Any instance of oxyno‑zeta s3‑proxy built before version 5.0.0 is affected. The product is the single vendor oxyno‑zeta’s s3‑proxy software; all releases prior to 5.0.0 contain the flaw.

Risk and Exploitability

The flaw has a CVSS score of 9.4, is not listed in CISA’s KEV catalog, and its EPSS score is not available. Attackers with network access can exploit it by issuing unauthenticated HTTP requests that use glob patterns, percent‑encoded slashes, or dot‑dot segments to target protected paths, thereby reading, writing or deleting objects without credentials.

Generated by OpenCVE AI on May 11, 2026 at 22:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade s3‑proxy to version 5.0.0 or later to receive the fix for the path interpretation mismatch.
  • If an upgrade cannot be performed immediately, restrict network access so that only authenticated users can reach the proxy, or disable public endpoints that expose S3 namespaces.
  • Review URI handling logic to ensure the authentication check uses the same decoded path as the bucket handler, or add validation to reject paths containing %2F or dot‑dot segments.

Generated by OpenCVE AI on May 11, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rfgq-wgg8-662p S3-Proxy has Security Issues in its Resource Path Matching Implementation
History

Mon, 11 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Oxyno-zeta
Oxyno-zeta s3-proxy
Vendors & Products Oxyno-zeta
Oxyno-zeta s3-proxy

Mon, 11 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware and the bucket handler. The authentication middleware evaluates resource path patterns against the percent-encoded request URI (r.URL.RequestURI()), while the bucket handler constructs S3 object keys from the decoded path (r.URL.Path). This mismatch, combined with the glob library being invoked without a path separator (causing * to match across / boundaries), allows unauthenticated attackers to write to, read from, or delete objects in protected S3 namespaces. Exploitation is possible via three techniques: (1) using * patterns that match across path separators to reach protected routes via path traversal (e.g., /open/foo/drafts/../restricted/), (2) using percent-encoded slashes (%2F) to collapse multiple path segments into a single token at the auth layer while the decoded form resolves to a protected namespace at the storage layer, and (3) using dot-dot segments (../) under ** prefix patterns, where the raw path matches an open route while Go's URL parser resolves the traversal to a protected path before the bucket handler runs. An unauthenticated attacker with network access can perform unauthorized PUT, GET, or DELETE operations on objects in authentication-protected S3 namespaces. This vulnerability is fixed in 5.0.0.
Title oxyno-zeta/s3-proxy: Security Issues in Resource Path Matching
Weaknesses CWE-22
CWE-863
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Oxyno-zeta S3-proxy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T19:26:44.897Z

Reserved: 2026-04-30T18:49:06.711Z

Link: CVE-2026-42882

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T20:25:44.450

Modified: 2026-05-11T20:25:44.450

Link: CVE-2026-42882

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:00:19Z

Weaknesses