CVE Catalog

CVE-2026-58372

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.77%

51th percentile — higher than 51% of all known CVEs

Summary

SeaweedFS before version 4.34 has a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler. An authenticated S3 principal with write access to a single bucket can delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the DeleteObjects XML request body.

Risk Assessment

An attacker can bypass authorization controls and delete data in other buckets, leading to data integrity violation and potential information loss. The vulnerability stems from the flawed assumption that URL path validation is sufficient, while request body keys are not inspected.

Recommendation

Immediately upgrade SeaweedFS to version 4.34 or later. If upgrading is not possible, restrict S3 gateway access to trusted principals and monitor DeleteObjects requests for suspicious path sequences.

Original NVD description (English source)

SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the DeleteObjects XML request body. Attackers can bypass authorization controls through a confused deputy condition, as the validateRequestPath middleware only inspects URL-captured path variables and never examines request-body keys, allowing the filer path to collapse directory traversal sequences and resolve deletions outside the authorized bucket.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS