Description
SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the DeleteObjects XML request body. Attackers can bypass authorization controls through a confused deputy condition, as the validateRequestPath middleware only inspects URL-captured path variables and never examines request-body keys, allowing the filer path to collapse directory traversal sequences and resolve deletions outside the authorized bucket.
Published: 2026-06-30
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SeaweedFS before version 4.34 contains a path traversal flaw (CWE-22) in its S3 gateway DeleteMultipleObjectsHandler that allows an authenticated S3 principal with write permissions on one bucket to delete arbitrary objects located in other tenants’ buckets. The vulnerability is triggered by supplying object keys that include "../" sequences in the DeleteObjects XML request body, which the middleware ignores during path validation. This permits a confused‑deputy attack that bypasses bucket‑level authorization controls and results in the loss of data from unintended buckets.

Affected Systems

The affected product is SeaweedFS. Users running SeaweedFS prior to the 4.34 release are vulnerable to this cross‑bucket object deletion flaw.

Risk and Exploitability

The CVSS score of 7.2 denotes a medium‑to‑high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires only authenticated S3 access with write rights on a bucket; an attacker can craft a DeleteObjects request containing traversal sequences and delete objects from any other tenant’s bucket without needing additional privileges.

Generated by OpenCVE AI on June 30, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SeaweedFS to version 4.34 or later to fix the path traversal weakness (CWE-22).
  • Review and tighten S3 bucket permissions to ensure principals only have write access to buckets they are authorized to manage.
  • If the S3 gateway is not required for a deployment, disable it or restrict the DeleteObjects API to trusted accounts only.

Generated by OpenCVE AI on June 30, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the DeleteObjects XML request body. Attackers can bypass authorization controls through a confused deputy condition, as the validateRequestPath middleware only inspects URL-captured path variables and never examines request-body keys, allowing the filer path to collapse directory traversal sequences and resolve deletions outside the authorized bucket.
Title SeaweedFS < 4.34 - Cross-Bucket Object Deletion via DeleteObjects Request-Body Keys
First Time appeared Seaweedfs
Seaweedfs seaweedfs
Weaknesses CWE-22
CPEs cpe:2.3:a:seaweedfs:seaweedfs:*:*:*:*:*:*:*:*
Vendors & Products Seaweedfs
Seaweedfs seaweedfs
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Seaweedfs Seaweedfs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T17:32:37.848Z

Reserved: 2026-06-30T12:28:02.980Z

Link: CVE-2026-58372

cve-icon Vulnrichment

Updated: 2026-06-30T17:32:24.395Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:00:13Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')