CVE-2026-54917 in SeaweedFS
Summary
by MITRE • 06/25/2026
SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST catalog gateway construct their routers with mux.NewRouter().SkipClean(true). With path cleaning disabled, a .. segment inside the URL survives routing, so a request such as `GET /bucket-A/../evil-bucket/key`, is matched as bucket=bucket-A, object=../evil-bucket/key. The captured object key is then joined into a filer path with util.JoinPath (S3) / path.Join (Iceberg), which collapse the .. server-side, so the actual read or write lands in evil-bucket. This vulnerability is fixed in 4.30.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/26/2026
SeaweedFS represents a comprehensive distributed storage solution designed to handle object storage through S3-compatible APIs, file system operations, and Iceberg table management. The vulnerability under examination stems from improper URL path handling within the system's API gateways that process both S3 and Iceberg REST catalog requests. This flaw exists in versions prior to 4.30 where the routing mechanisms are configured with SkipClean(true) parameter during router initialization using mux.NewRouter(). This specific configuration choice disables the automatic cleaning of URL paths, creating a critical security gap that allows malicious actors to manipulate request routing through directory traversal sequences.
The technical exploitation of this vulnerability relies on the fundamental difference between how URL paths are processed during routing versus how they are handled when constructing file system paths. When a request such as GET /bucket-A/../evil-bucket/key is received, the router preserves the .. segment due to SkipClean(true) configuration, causing the bucket parameter to be captured as bucket-A while the object parameter captures ../evil-bucket/key. This discrepancy creates a path traversal condition where the captured object key contains directory traversal components that would normally be resolved during normal path processing. The system then employs util.JoinPath for S3 operations and path.Join for Iceberg operations to construct actual file system paths, which automatically resolve the .. segments server-side, effectively redirecting operations from the intended bucket to the malicious target bucket.
The operational impact of this vulnerability extends beyond simple data access manipulation, representing a serious privilege escalation and data integrity threat. An attacker could potentially read or write files in unauthorized buckets by crafting requests that exploit this path traversal mechanism. The vulnerability affects both S3 API gateway functionality and Iceberg REST catalog operations, creating a broad attack surface within the system's storage management capabilities. This weakness directly corresponds to CWE-22 Path Traversal vulnerabilities, specifically targeting improper input handling during file path construction. The issue also aligns with ATT&CK technique T1078 Valid Accounts, as it allows unauthorized access to data within different storage buckets without proper authentication or authorization mechanisms.
The mitigation strategy for this vulnerability involves upgrading to SeaweedFS version 4.30 or later, where the SkipClean(true) configuration has been corrected to properly handle URL path normalization. Security practitioners should also implement additional defensive measures including input validation at multiple layers of the system architecture, regular security audits of routing configurations, and monitoring for unusual path patterns in access logs. Organizations using older versions should consider implementing network-level restrictions and access controls as temporary compensating measures while planning the upgrade process. The fix demonstrates proper secure coding practices by ensuring that URL paths are normalized before being processed for file system operations, preventing directory traversal attacks through early input sanitization rather than relying on post-processing resolution of path components.