PT-2026-56468 · Seaweedfs · Seaweedfs
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-55874
CVSS v3.1
7.7
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
SeaweedFS versions prior to 4.34
Description
The S3 API gateway fails to properly validate input in the
X-Amz-Copy-Source header used by the CopyObject and UploadPartCopy functions. This improper validation allows the use of dot-dot path segments, leading to a path traversal condition during server-side copy source parsing. Consequently, an authenticated user restricted to a single bucket can craft requests to read and copy objects from other buckets, resulting in unauthorized data access and the breach of tenant isolation.Recommendations
Update to version 4.34.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Seaweedfs