CVE-2026-55874 PUBLISHED

SeaweedFS: Path traversal in the S3 gateway X-Amz-Copy-Source header allows cross-bucket object read

Assigner: GitHub_M
Reserved: 17.06.2026 Published: 08.07.2026 Updated: 08.07.2026

SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side copy. This issue is fixed in version 4.34.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVSS Score: 7.7

Product Status

Vendor seaweedfs
Product seaweedfs
Versions
  • Version < 4.34 is affected

References

Problem Types

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE