PT-2026-60377 · Pypi · Tensorzero

Publicado

2026-07-15

·

Atualizado

2026-07-15

·

CVE-2026-54457

CVSS v3.1

7.7

Alta

VetorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Impact

The /internal/object storage endpoint accepts a caller-supplied JSON storage path parameter that dynamically overrides the TensorZero [object storage] configuration.
By abusing the filesystem storage type, a caller can read arbitrary files from the gateway filesystem, including files that may contain sensitive credentials. Similarly, by abusing the s3 compatible storage type, the caller can coerce the gateway into making outbound object storage requests to attacker-chosen internal/cloud-metadata endpoints.
This vulnerability only applies when the gateway can be accessed by untrusted callers. If a developer's TensorZero deployment has authentication enabled, only authenticated callers can exploit this vulnerability. If a developer's deployment has authentication disabled, any caller can exploit this vulnerability.

Remediation

The vulnerability has been patched in version 2026.6.0. See PR #7527.

Workarounds

If developers are unable to upgrade a gateway that is exposed to untrusted callers, please block external access to the /internal/object storage endpoint.

Correção

SSRF

Files Accessible to External Parties

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-54457
GHSA-824W-X939-6CMC

Produtos afetados

Tensorzero