{"id":"CVE-2026-58372","summary":"SeaweedFS \u003c 4.34 - Cross-Bucket Object Deletion via DeleteObjects Request-Body Keys","details":"SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the DeleteObjects XML request body. Attackers can bypass authorization controls through a confused deputy condition, as the validateRequestPath middleware only inspects URL-captured path variables and never examines request-body keys, allowing the filer path to collapse directory traversal sequences and resolve deletions outside the authorized bucket.","aliases":["BIT-seaweedfs-2026-54917","CVE-2026-54917","GHSA-w62w-66v9-vvgv"],"modified":"2026-07-08T08:26:11.410519786Z","published":"2026-06-30T15:57:59.372Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58372.json","cna_assigner":"VulnCheck","cwe_ids":["CWE-22"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58372.json"},{"type":"ADVISORY","url":"https://github.com/seaweedfs/seaweedfs/releases/tag/4.34"},{"type":"ADVISORY","url":"https://github.com/seaweedfs/seaweedfs/security/advisories/GHSA-w62w-66v9-vvgv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-58372"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/seaweedfs-cross-bucket-object-deletion-via-deleteobjects-request-body-keys"},{"type":"FIX","url":"https://github.com/seaweedfs/seaweedfs/commit/0345658ea8e7c6a3948ad190634b00866ec244c9"},{"type":"FIX","url":"https://github.com/seaweedfs/seaweedfs/pull/9931"},{"type":"PACKAGE","url":"https://github.com/seaweedfs/seaweedfs"},{"type":"EVIDENCE","url":"https://github.com/geo-chen/oss/blob/main/seaweedfs.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/seaweedfs/seaweedfs","events":[{"introduced":"0"},{"fixed":"c6cf5a5bd7c87694c8d71ab41571f1412170ab2a"},{"fixed":"0345658ea8e7c6a3948ad190634b00866ec244c9"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"4.34"}],"source":["DESCRIPTION","REFERENCES"]}}],"versions":["4.33","4.32","4.31","4.30","4.29","4.28","4.27","4.26","4.25","4.24","4.23","4.22","4.21","4.20","4.19","4.18","4.17","4.16","4.15","4.13","4.12","4.09","4.08","4.07","4.06","4.05","4.04","4.03","4.02","4.01","4.00","3.99","3.97","3.96","3.95","3.94","3.93","3.92","3.91","3.90","3.89","3.88","3.87","3.86","3.85","3.84","3.83","3.82","3.81","3.80","3.79","3.78","3.77","3.76","3.75","3.74","3.73","3.72","3.67","3.66","3.64","3.63","3.62","3.61","3.60","3.59","3.58","3.57","3.55","3.54","3.53","3.52","3.51","3.50","3.48","3.47","3.46","3.45","3.44","3.43","3.42","3.41","3.40","3.39","3.38","3.37","3.36","3.35","3.34","3.33","v3.33","3.32","3.31","3.30","3.29","3.28","3.27","3.26","3.25","3.24","3.23","3.22","3.21","3.20","3.19","3.18","3.16","3.15","dev","3.14","3.13","3.12","3.11","3.10","3.09","3.08","3.07","3.06","3.05","3.04","3.03","3.02","3.01","3.00","2.99","2.98","2.97","2.96","2.95","2.94","2.93","2.92","2.91","2.90","2.89","2.88","2.87","2.86","2.85","2.84","2.83","2.82","2.80","2.81","2.79","2.78","2.77","2.76","2.75","2.74","2.73","2.72","2.71","2.70","2.69","2.68","2.67","2.66","2.65","2.64","2.63","2.62","2.61","2.60","2.59","2.58","2.57","2.56","2.55","2.54","2.53","2.52","2.51","2.50","2.49","2.48","2.47","2.43","2.42","2.41","2.40","2.39","2.38","2.37","2.36","2.35","2.34","2.33","2.32","2.31","2.30","2.29","2.28","2.27","2.26","2.25","2.24","2.23","2.22","2.21","2.19","2.20","2.18","2.17","2.16","2.15","2.14","2.13","2.12","2.11","2.10","2.09","2.08","2.07","2.06","2.05","2.04","2.03","2.02","2.01","2.00","1.99","1.98","1.97","1.96","1.95","1.94","1.93","1.92","1.91","1.90","1.88","1.87","1.86","1.85","1.84","1.83","1.82","1.81","1.80","1.79","1.78","1.77","1.76","1.75","1.71","1.74","1.73","1.72","1;70","1.70","1.69","1.68","1.67","1.66","1.65","1.64","1.63","1.62","1.61","1.61RC","1.45","1.60","1.59","1.58","1.57","1.56","1.55","1.54","1.53","1.52","1.51","1.50","1.49","1.48","1.47","1.46","1.44","1.43","1.42","1.41","1.40","1.38","1.37","1.36","1.35","1.33","1.32","1.31","1.30","1.29","1.28","1.27","1.26","1.25","1.24","1.23","1.22","1.21","1.20","1.19","1.18","1.17","1.16","1.15","1.14","1.12","1.11","1.10","1.09","1.08","1.07","1.06","1.05","1.04","1.03","1.02","1.01","1.00","0.99","0.98","0.97","0.96","0.95","0.94","0.93","0.92","0.91","0.90","0.77","0.76","0.75","0.74","0.73","0.72.release","0.72","v0.70beta","v0.69"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58372.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"}]}