CVE-2026-54917

UNKNOWN 0.0

SeaweedFS: Path traversal in the S3 and Iceberg REST gateways allows cross-bucket access

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST catalog gateway construct their routers with mux.NewRouter().SkipClean(true). With path cleaning disabled, a .. segment inside the URL survives routing, so a request such as `GET /bucket-A/../evil-bucket/key`, is matched as bucket=bucket-A, object=../evil-bucket/key. The captured object key is then joined into a filer path with util.JoinPath (S3) / path.Join (Iceberg), which collapse the .. server-side, so the actual read or write lands in evil-bucket. This vulnerability is fixed in 4.30.

CWE	CWE-22
Vendor	seaweedfs
Product	seaweedfs
Published	Jun 25, 2026
Last Updated	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for seaweedfs seaweedfs

Be the first to know when new unknown vulnerabilities affecting seaweedfs seaweedfs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

seaweedfs / seaweedfs

< 4.30

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/seaweedfs/seaweedfs/security/advisories/GHSA-w62w-66v9-vvgv github.com: https://github.com/seaweedfs/seaweedfs/pull/9687