Path Traversal Vulnerability in SeaweedFS Distributed Storage System
CVE-2026-54917

7.8HIGH

Key Information:

Vendor: Seaweedfs
Status: Seaweedfs
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-54917?

SeaweedFS, a distributed storage solution for object storage and Iceberg tables, has a vulnerability where specific URL patterns can bypass security measures. With the S3 API gateway and the Iceberg REST catalog gateway configured with path cleaning disabled, attackers can exploit this flaw using URLs that include .. segments. For example, a request such as GET /bucket-A/../evil-bucket/key can lead to unauthorized access or manipulation of files in unintended buckets. This risk is addressed in version 4.30, where the proper routing safeguard against such path traversal attacks is implemented.

Affected Version(s)

seaweedfs < 4.30

References

https://github.com/seaweedfs/seaweedfs/security/advisorie...

x_refsource_CONFIRM

https://github.com/seaweedfs/seaweedfs/pull/9687

x_refsource_MISC

CVSS V4

Score:

7.8

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 16, 2026

CVE-2026-54917 Data

JSON

Seaweedfs

What is CVE-2026-54917?

Affected Version(s)

References

CVSS V4

Timeline