PT-2026-60377 · Pypi · Tensorzero
Published
2026-07-15
·
Updated
2026-07-15
·
CVE-2026-54457
CVSS v3.1
7.7
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
Impact
The
/internal/object storage endpoint accepts a caller-supplied JSON storage path parameter that dynamically overrides the TensorZero [object storage] configuration.By abusing the
filesystem storage type, a caller can read arbitrary files from the gateway filesystem, including files that may contain sensitive credentials. Similarly, by abusing the s3 compatible storage type, the caller can coerce the gateway into making outbound object storage requests to attacker-chosen internal/cloud-metadata endpoints.This vulnerability only applies when the gateway can be accessed by untrusted callers. If a developer's TensorZero deployment has authentication enabled, only authenticated callers can exploit this vulnerability. If a developer's deployment has authentication disabled, any caller can exploit this vulnerability.
Remediation
The vulnerability has been patched in version
2026.6.0. See PR #7527.Workarounds
If developers are unable to upgrade a gateway that is exposed to untrusted callers, please block external access to the
/internal/object storage endpoint.Fix
SSRF
Files Accessible to External Parties
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Tensorzero