Authorization Flaw in SeaweedFS Distributed Storage System
CVE-2026-55873

4.3MEDIUM

Key Information:

Vendor

Seaweedfs

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-55873?

SeaweedFS, a distributed storage solution, contains an authorization flaw in versions 4.08 through 4.33. This vulnerability affects requests signed with the SigV4 service for S3Tables, which are incorrectly routed to the S3Tables management API. Due to this flaw, account-less S3 identities erroneously collapse into a shared admin account, leading to improper authorization controls. Consequently, a low-privileged S3 user can enumerate administrator-owned table bucket names and ARNs, posing significant risks to data confidentiality and integrity. The issue has been resolved in version 4.34.

Affected Version(s)

seaweedfs >= 4.08, < 4.34

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.