CVE-2026-58372

HIGH 8.1

SeaweedFS < 4.34 - Cross-Bucket Object Deletion via DeleteObjects Request-Body Keys

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the DeleteObjects XML request body. Attackers can bypass authorization controls through a confused deputy condition, as the validateRequestPath middleware only inspects URL-captured path variables and never examines request-body keys, allowing the filer path to collapse directory traversal sequences and resolve deletions outside the authorized bucket.

CWE	CWE-22
Vendor	seaweedfs
Product	seaweedfs
Published	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for seaweedfs seaweedfs

Be the first to know when new high vulnerabilities affecting seaweedfs seaweedfs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Affected Versions

seaweedfs / seaweedfs

0 < 4.34

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/seaweedfs/seaweedfs/releases/tag/4.34 github.com: https://github.com/seaweedfs/seaweedfs/pull/9931 github.com: https://github.com/seaweedfs/seaweedfs/commit/0345658ea8e7c6a3948ad190634b00866ec244c9 github.com: https://github.com/seaweedfs/seaweedfs/security/advisories/GHSA-w62w-66v9-vvgv github.com: https://github.com/geo-chen/oss/blob/main/seaweedfs.md vulncheck.com: https://www.vulncheck.com/advisories/seaweedfs-cross-bucket-object-deletion-via-deleteobjects-request-body-keys

Credits

George Chen