SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side copy. This issue is fixed in version 4.34.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 08 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 08 Jul 2026 17:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Seaweedfs
Seaweedfs seaweedfs |
|
| Vendors & Products |
Seaweedfs
Seaweedfs seaweedfs |
Wed, 08 Jul 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side copy. This issue is fixed in version 4.34. | |
| Title | SeaweedFS: Path traversal in the S3 gateway X-Amz-Copy-Source header allows cross-bucket object read | |
| Weaknesses | CWE-22 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-08T17:01:02.948Z
Reserved: 2026-06-17T16:59:42.759Z
Link: CVE-2026-55874
Updated: 2026-07-08T16:52:22.834Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T16:45:03Z
Weaknesses