๐Ÿ” CVE Alert

CVE-2026-55873

MEDIUM 4.3

SeaweedFS: Improper authorization in the S3Tables / Iceberg REST management API lets a low-privileged S3 user enumerate administrator-owned table buckets

CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th

SeaweedFS is a distributed storage system. In versions 4.08 through 4.33, requests signed with SigV4 service s3tables are routed to the S3Tables management API where authorization collapses account-less S3 identities into the shared admin account and fails open, allowing an authenticated low-privileged S3 user to enumerate administrator-owned table bucket names and ARNs. This issue is fixed in version 4.34.

CWE CWE-863
Vendor seaweedfs
Product seaweedfs
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for seaweedfs seaweedfs

Be the first to know when new medium vulnerabilities affecting seaweedfs seaweedfs are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Affected Versions

seaweedfs / seaweedfs
>= 4.08, < 4.34

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/seaweedfs/seaweedfs/security/advisories/GHSA-hgpf-8634-g44c github.com: https://github.com/seaweedfs/seaweedfs/pull/9961 github.com: https://github.com/seaweedfs/seaweedfs/commit/b13463880c1fa62e255c058a9228b63cc95b4b36 github.com: https://github.com/seaweedfs/seaweedfs/releases/tag/4.34