PT-2026-37288 · S3-Proxy · S3-Proxy

Argos83

·

Published

2026-05-05

·

Updated

2026-05-11

·

CVE-2026-42882

CVSS v3.1

9.4

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Name of the Vulnerable Software and Affected Versions s3-proxy versions prior to 0.0.0-20260424211602-1320e4abd46a
Description Inconsistent URL path normalization and routing logic lead to authorization bypasses, allowing unauthenticated access to protected objects. The issues stem from a mismatch between how the authentication middleware and the bucket handler process paths, specifically regarding percent-encoded characters and dot segments.
Technical details include:
  • Path Wildcard Matching: The glob.Compile() function is called without a separator, causing the * wildcard to match across directory boundaries (including /), which allows requests to match open routes while targeting protected paths.
  • Percent-Encoded Slash Bypass: A mismatch occurs where the authentication middleware uses the encoded path (via r.URL.RequestURI()) while the bucket handler uses the decoded path (r.URL.Path). An attacker can use %2F to make a path appear as a single segment to the authenticator but as multiple segments to the handler, bypassing restrictions.
  • Path Traversal: When using prefix-style patterns with ** (e.g., /open/**), the lack of path normalization allows dot-segment traversal (e.g., /open/../restricted/). The authentication middleware matches the raw path against the open prefix, while the bucket handler processes the resolved path, granting access to restricted namespaces.
Recommendations Update s3-proxy to version 0.0.0-20260424211602-1320e4abd46a or later. As a temporary mitigation, review resource path definitions and replace * with ** only where multi-segment matching is explicitly intended, and avoid using prefix-style patterns with ** for open routes if path normalization is not guaranteed.

Exploit

Fix

Incorrect Authorization

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-22

Related Identifiers

CVE-2026-42882
GHSA-RFGQ-WGG8-662P

Affected Products

S3-Proxy