Description
SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST catalog gateway construct their routers with mux.NewRouter().SkipClean(true). With path cleaning disabled, a .. segment inside the URL survives routing, so a request such as `GET /bucket-A/../evil-bucket/key`, is matched as bucket=bucket-A, object=../evil-bucket/key. The captured object key is then joined into a filer path with util.JoinPath (S3) / path.Join (Iceberg), which collapse the .. server-side, so the actual read or write lands in evil-bucket. This vulnerability is fixed in 4.30.
Published: 2026-06-25
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SeaweedFS’s S3 and Iceberg REST gateways allow path traversal that can redirect operations from one bucket to another by using a '..' segment in the request URL. The routers were created with path cleaning disabled, which lets the '..' component survive into the object key portion of the request. When the key is later resolved into a filer path, server‑side path normalization collapses the '..', causing the read or write to occur in the target bucket specified after the traversal. This flaw enables an attacker to read from or modify objects in buckets they should not have access to, thereby compromising confidentiality and integrity of stored data.

Affected Systems

SeaweedFS, as supplied by seaweedfs:seaweedfs. All releases prior to version 4.30 are vulnerable; the issue was fixed in V4.30. Users running earlier versions of SeaweedFS with the S3 API gateway or the Iceberg REST catalog gateway should update to the patched release.

Risk and Exploitability

The CVSS score of 7.8 reflects a high‑impact vulnerability. EPSS data is not available, so the likelihood of exploitation remains unknown, but the issue is not listed in CISA’s KEV catalog. Based on the description, the attacker must send HTTP requests to the exposed S3 or Iceberg endpoints; authentication requirements are not specified, so it is reasonable to infer that the attack can be carried out as long as the gateway is reachable. The combination of a publicly exposed API and the ability to craft a malicious URL makes this vulnerability potentially exploitable by remote actors with basic network access.

Generated by OpenCVE AI on June 25, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SeaweedFS to version 4.30 or later, which removes the path‑cleaning bypass and fixes the traversal flaw.
  • If an immediate upgrade is not possible, restrict network access to the S3 and Iceberg API endpoints behind a firewall or VPN to limit exposure to trusted hosts.
  • Configure or enforce bucket‑level access controls and policies that prevent access to buckets you do not intend to expose through the gateway.
  • Monitor API traffic for requests containing ‘../’ patterns or atypical bucket names and investigate any unanticipated access attempts.

Generated by OpenCVE AI on June 25, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Seaweedfs
Seaweedfs seaweedfs
Vendors & Products Seaweedfs
Seaweedfs seaweedfs

Thu, 25 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST catalog gateway construct their routers with mux.NewRouter().SkipClean(true). With path cleaning disabled, a .. segment inside the URL survives routing, so a request such as `GET /bucket-A/../evil-bucket/key`, is matched as bucket=bucket-A, object=../evil-bucket/key. The captured object key is then joined into a filer path with util.JoinPath (S3) / path.Join (Iceberg), which collapse the .. server-side, so the actual read or write lands in evil-bucket. This vulnerability is fixed in 4.30.
Title SeaweedFS: Path traversal in the S3 and Iceberg REST gateways allows cross-bucket access
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Seaweedfs Seaweedfs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T19:05:31.072Z

Reserved: 2026-06-16T13:49:33.557Z

Link: CVE-2026-54917

cve-icon Vulnrichment

Updated: 2026-06-25T19:04:53.899Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:15:04Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')