CVE-2026-54917 seaweedfs CVE debrief

Who should care

Organizations using SeaweedFS for object storage, file systems, or Iceberg tables should prioritize this vulnerability. Specifically, those with exposed S3 API gateways or Iceberg REST catalog gateways are at risk. Updating to version 4.30 or applying mitigations is crucial to prevent potential path traversal attacks.

Technical summary

The vulnerability in SeaweedFS is caused by the use of mux.NewRouter().SkipClean(true) in the S3 API gateway and the Iceberg REST catalog gateway. This setting disables path cleaning, allowing a .. segment in URLs to persist through routing. An attacker could exploit this by crafting URLs like GET /bucket-A/../evil-bucket/key, which would be matched as bucket=bucket-A, object=../evil-bucket/key. The object key is then joined into a filer path, which collapses the .. server-side, potentially allowing reads or writes to unintended locations. This issue is resolved in SeaweedFS version 4.30.

Defensive priority

High priority should be given to updating SeaweedFS to version 4.30. In the interim, defenders should monitor for suspicious activity, especially unusual access patterns or errors related to path traversal.

Recommended defensive actions

• Update SeaweedFS to version 4.30 or later.
• Monitor S3 API and Iceberg REST catalog gateway logs for suspicious activity.
• Implement compensating controls such as restrictive access controls and input validation.
• Review and update security configurations for SeaweedFS gateways.
• Perform inventory checks to identify affected systems.

Evidence notes

The CVE-2026-54917 vulnerability is documented in the NVD database and has a detailed description of the issue and its impact. The vulnerability is caused by the use of mux.NewRouter().SkipClean(true) in the S3 API gateway and the Iceberg REST catalog gateway. The CVE record provides additional context and references to the vendor's advisory and mitigation strategies.

Official resources