PT-2026-56468 · Seaweedfs · Seaweedfs

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-55874

CVSS v3.1

7.7

High

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions SeaweedFS versions prior to 4.34
Description The S3 API gateway fails to properly validate input in the X-Amz-Copy-Source header used by the CopyObject and UploadPartCopy functions. This improper validation allows the use of dot-dot path segments, leading to a path traversal condition during server-side copy source parsing. Consequently, an authenticated user restricted to a single bucket can craft requests to read and copy objects from other buckets, resulting in unauthorized data access and the breach of tenant isolation.
Recommendations Update to version 4.34.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55874

Affected Products

Seaweedfs