Authorization Flaw in SeaweedFS Distributed Storage System
CVE-2026-55873
4.3MEDIUM
What is CVE-2026-55873?
SeaweedFS, a distributed storage solution, contains an authorization flaw in versions 4.08 through 4.33. This vulnerability affects requests signed with the SigV4 service for S3Tables, which are incorrectly routed to the S3Tables management API. Due to this flaw, account-less S3 identities erroneously collapse into a shared admin account, leading to improper authorization controls. Consequently, a low-privileged S3 user can enumerate administrator-owned table bucket names and ARNs, posing significant risks to data confidentiality and integrity. The issue has been resolved in version 4.34.
Affected Version(s)
seaweedfs >= 4.08, < 4.34
