CVE-2026-55873 in SeaweedFSinfo

Summary

by MITRE • 07/08/2026

SeaweedFS is a distributed storage system. In versions 4.08 through 4.33, requests signed with SigV4 service s3tables are routed to the S3Tables management API where authorization collapses account-less S3 identities into the shared admin account and fails open, allowing an authenticated low-privileged S3 user to enumerate administrator-owned table bucket names and ARNs. This issue is fixed in version 4.34.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/08/2026

SeaweedFS represents a distributed storage system that implements S3-compatible APIs for object storage operations. The vulnerability analysis reveals a critical authorization flaw within the system's handling of SigV4 signed requests, specifically affecting versions between 4.08 and 4.33. This issue stems from improper account isolation mechanisms within the S3Tables management API component where authentication tokens lacking specific account context are being aggregated into a shared administrative account. The vulnerability manifests as a failure in the authorization process that operates in an overly permissive mode, commonly referred to as "fail open" behavior, which allows unauthorized access patterns that should normally be restricted.

The technical implementation flaw involves the collapse of account-less S3 identities into a single administrative context without proper validation or isolation checks. When low-privileged authenticated S3 users make requests to the S3Tables management API, their credentials are processed through an authorization pathway that does not maintain proper account boundaries. This creates a scenario where legitimate but unauthorized access attempts can leverage the administrative account's permissions to enumerate resources that should remain confidential. The specific mechanism allows for table bucket name and ARN enumeration, which constitutes a significant information disclosure vulnerability that violates fundamental security principles of least privilege and separation of concerns.

The operational impact of this vulnerability extends beyond simple information disclosure to create potential attack vectors for further exploitation. An authenticated low-privileged user can effectively bypass normal access controls to discover administrative resources within the system, potentially enabling reconnaissance activities for more sophisticated attacks such as privilege escalation or targeted resource manipulation. The vulnerability affects the core authorization model of the distributed storage system and represents a failure in the principle of least privilege enforcement. This issue maps directly to CWE-284 (Improper Access Control) and aligns with ATT&CK technique T1078 (Valid Accounts) as it exploits legitimate authentication mechanisms to gain elevated visibility into administrative resources.

The mitigation strategy requires immediate deployment of version 4.34 which addresses the authorization collapse issue through proper account isolation mechanisms. Organizations should implement comprehensive monitoring for unauthorized enumeration attempts and establish strict access controls for management API endpoints. Security teams must verify that all authenticated requests properly maintain account context and that no account-less identities can aggregate into administrative privileges. The fix ensures that S3 identities retain their proper authorization boundaries and prevents the fail open condition that enabled the information disclosure. System administrators should also conduct thorough access control reviews to ensure no other similar authorization collapse scenarios exist within the distributed storage infrastructure.

This vulnerability demonstrates the critical importance of maintaining strict account isolation in distributed systems where multiple user contexts interact with shared management interfaces. The flaw represents a fundamental breakdown in the authorization architecture and highlights the need for comprehensive security testing of authentication and access control mechanisms, particularly in systems implementing S3-compatible APIs. Organizations using affected versions should prioritize immediate remediation as the vulnerability creates persistent exposure to unauthorized enumeration and potential privilege escalation attacks that could compromise the entire distributed storage infrastructure.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!