CVE-2026-58372
HighCVSS 8.1Exploitation Probability (EPSS)
Elevated risk51th percentile — higher than 51% of all known CVEs
Summary
SeaweedFS before version 4.34 has a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler. An authenticated S3 principal with write access to a single bucket can delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the DeleteObjects XML request body.
Risk Assessment
An attacker can bypass authorization controls and delete data in other buckets, leading to data integrity violation and potential information loss. The vulnerability stems from the flawed assumption that URL path validation is sufficient, while request body keys are not inspected.
Recommendation
Immediately upgrade SeaweedFS to version 4.34 or later. If upgrading is not possible, restrict S3 gateway access to trusted principals and monitor DeleteObjects requests for suspicious path sequences.
Original NVD description (English source)
SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the DeleteObjects XML request body. Attackers can bypass authorization controls through a confused deputy condition, as the validateRequestPath middleware only inspects URL-captured path variables and never examines request-body keys, allowing the filer path to collapse directory traversal sequences and resolve deletions outside the authorized bucket.

