CVE-2026-54917

Name: CVE-2026-54917
Creator: NVD / NIST
Published: 2026-06-25T19:16:42.23+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.8/10EPSS 0.34%

Last modified Jun 25, 2026

This CVE is reserved or awaiting analysis. Details will appear once published by NVD.

Description

SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST catalog gateway construct their routers with mux.NewRouter().SkipClean(true). With path cleaning disabled, a .. segment inside the URL survives routing, so a request such as `GET /bucket-A/../evil-bucket/key`, is matched as bucket=bucket-A, object=../evil-bucket/key. The captured object key is then joined into a filer path with util.JoinPath (S3) / path.Join (Iceberg), which collapse the .. server-side, so the actual read or write lands in evil-bucket. This vulnerability is fixed in 4.30.

Metrics

CVSS 4.0

7.8/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.34%

26.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-22

References

Timeline

Published: Jun 25, 2026
Last Modified: Jun 25, 2026
Status: Awaiting Analysis

Are you affected by CVE-2026-54917?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST