Authentication Bypass in S3 Proxy by Oxyno-Zeta
CVE-2026-42882

9.4CRITICAL

Key Information:

Vendor

Oxyno-zeta

Status
S3-proxy
Vendor
CVE Published:
11 May 2026

What is CVE-2026-42882?

The S3 Proxy by Oxyno-Zeta, an AWS S3 proxy implemented in Go, contains an authentication bypass vulnerability due to inconsistent URL path interpretation. This issue arises in versions prior to 5.0.0, where the authentication middleware and the bucket handler process URL paths differently. Attackers can exploit this flaw to perform unauthorized actions such as reading, deleting, or writing objects in secure S3 namespaces. By leveraging specific URL patterns, percent-encoded slashes, or dot-dot segments, unauthenticated users can bypass authentication mechanisms. This vulnerability poses a significant risk to users relying on S3 for secure data handling and requires immediate attention and upgrading to version 5.0.0 or higher.

Affected Version(s)

s3-proxy < 5.0.0

References

https://github.com/oxyno-zeta/s3-proxy/security/advisorie...
x_refsource_CONFIRM
https://github.com/oxyno-zeta/s3-proxy/commit/1320e4abd46...
x_refsource_MISC
https://github.com/oxyno-zeta/s3-proxy/commit/af5ff57d8c6...
x_refsource_MISC

CVSS V3.1

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.