PT-2026-60377 · Pypi · Tensorzero

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-54457

CVSS v3.1

7.7

High

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Impact

The /internal/object storage endpoint accepts a caller-supplied JSON storage path parameter that dynamically overrides the TensorZero [object storage] configuration.
By abusing the filesystem storage type, a caller can read arbitrary files from the gateway filesystem, including files that may contain sensitive credentials. Similarly, by abusing the s3 compatible storage type, the caller can coerce the gateway into making outbound object storage requests to attacker-chosen internal/cloud-metadata endpoints.
This vulnerability only applies when the gateway can be accessed by untrusted callers. If a developer's TensorZero deployment has authentication enabled, only authenticated callers can exploit this vulnerability. If a developer's deployment has authentication disabled, any caller can exploit this vulnerability.

Remediation

The vulnerability has been patched in version 2026.6.0. See PR #7527.

Workarounds

If developers are unable to upgrade a gateway that is exposed to untrusted callers, please block external access to the /internal/object storage endpoint.

Fix

SSRF

Files Accessible to External Parties

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54457
GHSA-824W-X939-6CMC

Affected Products

Tensorzero