CVE-2026-55874
SeaweedFS: Path traversal in the S3 gateway X-Amz-Copy-Source header allows cross-bucket object read
CVSS Score
7.7
EPSS Score
0.0%
EPSS Percentile
0th
SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side copy. This issue is fixed in version 4.34.
| CWE | CWE-22 |
| Vendor | seaweedfs |
| Product | seaweedfs |
| Published | Jul 8, 2026 |
| Last Updated | Jul 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for seaweedfs seaweedfs
Be the first to know when new high vulnerabilities affecting seaweedfs seaweedfs are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
seaweedfs / seaweedfs
< 4.34
References
github.com: https://github.com/seaweedfs/seaweedfs/security/advisories/GHSA-56wq-x3wv-3ff4 github.com: https://github.com/seaweedfs/seaweedfs/pull/9929 github.com: https://github.com/seaweedfs/seaweedfs/commit/b44cf51fe931bd75aa4d37ae766bea90d7f85ccd github.com: https://github.com/seaweedfs/seaweedfs/releases/tag/4.34