CVE-2026-54917
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk26th percentile — higher than 26% of all known CVEs
Summary
SeaweedFS before version 4.30 has a vulnerability due to improper path cleaning in S3 and Iceberg REST catalog routers. An attacker can use '..' sequences in a request to bypass access controls and read or write data in any bucket.
Risk Assessment
The organization is at risk of unauthorized access to data stored in SeaweedFS, including reading, modifying, or deleting objects in other buckets, potentially leading to data leakage or integrity compromise.
Recommendation
Immediately upgrade SeaweedFS to version 4.30 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST catalog gateway construct their routers with mux.NewRouter().SkipClean(true). With path cleaning disabled, a .. segment inside the URL survives routing, so a request such as `GET /bucket-A/../evil-bucket/key`, is matched as bucket=bucket-A, object=../evil-bucket/key. The captured object key is then joined into a filer path with util.JoinPath (S3) / path.Join (Iceberg), which collapse the .. server-side, so the actual read or write lands in evil-bucket. This vulnerability is fixed in 4.30.

