CVE-2026-42882: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in oxyno-zeta s3-proxy
CVE-2026-42882 is a critical path traversal vulnerability in oxyno-zeta's s3-proxy prior to version 5. 0. 0. It arises from inconsistent URL path interpretation between the authentication middleware and the bucket handler, allowing unauthenticated attackers to bypass authentication. This enables unauthorized PUT, GET, or DELETE operations on protected S3 object namespaces. The issue is fixed in version 5. 0. 0. The vulnerability has a CVSS score of 9. 4, indicating high severity.
AI Analysis
Technical Summary
The vulnerability in oxyno-zeta/s3-proxy (versions before 5.0.0) is caused by a mismatch in how the authentication middleware and the bucket handler interpret URL paths. The authentication middleware checks resource paths against the percent-encoded request URI, while the bucket handler uses the decoded path. This discrepancy, combined with the glob library's behavior allowing '*' to match across path separators, enables path traversal attacks. Attackers can exploit this by using patterns that traverse directories (e.g., '../'), percent-encoded slashes (%2F), or glob patterns to access or modify protected S3 object namespaces without authentication. This leads to unauthorized read, write, or delete operations on S3 objects. The vulnerability is resolved in version 5.0.0.
Potential Impact
An unauthenticated attacker with network access can bypass authentication controls and perform unauthorized operations (PUT, GET, DELETE) on objects within authentication-protected S3 namespaces. This compromises confidentiality and integrity of stored data and may cause limited availability impact. The CVSS score of 9.4 reflects critical impact on confidentiality and integrity with low attack complexity and no required privileges.
Mitigation Recommendations
A fixed version (5.0.0) of oxyno-zeta/s3-proxy is available that resolves this vulnerability. Since this is a cloud-hosted service, the vendor manages remediation server-side. Users should verify with the vendor advisory that their service instance is updated to version 5.0.0 or later to ensure protection against this vulnerability. Patch status is confirmed by the vendor's release of version 5.0.0.
CVE-2026-42882: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in oxyno-zeta s3-proxy
Description
CVE-2026-42882 is a critical path traversal vulnerability in oxyno-zeta's s3-proxy prior to version 5. 0. 0. It arises from inconsistent URL path interpretation between the authentication middleware and the bucket handler, allowing unauthenticated attackers to bypass authentication. This enables unauthorized PUT, GET, or DELETE operations on protected S3 object namespaces. The issue is fixed in version 5. 0. 0. The vulnerability has a CVSS score of 9. 4, indicating high severity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in oxyno-zeta/s3-proxy (versions before 5.0.0) is caused by a mismatch in how the authentication middleware and the bucket handler interpret URL paths. The authentication middleware checks resource paths against the percent-encoded request URI, while the bucket handler uses the decoded path. This discrepancy, combined with the glob library's behavior allowing '*' to match across path separators, enables path traversal attacks. Attackers can exploit this by using patterns that traverse directories (e.g., '../'), percent-encoded slashes (%2F), or glob patterns to access or modify protected S3 object namespaces without authentication. This leads to unauthorized read, write, or delete operations on S3 objects. The vulnerability is resolved in version 5.0.0.
Potential Impact
An unauthenticated attacker with network access can bypass authentication controls and perform unauthorized operations (PUT, GET, DELETE) on objects within authentication-protected S3 namespaces. This compromises confidentiality and integrity of stored data and may cause limited availability impact. The CVSS score of 9.4 reflects critical impact on confidentiality and integrity with low attack complexity and no required privileges.
Mitigation Recommendations
A fixed version (5.0.0) of oxyno-zeta/s3-proxy is available that resolves this vulnerability. Since this is a cloud-hosted service, the vendor manages remediation server-side. Users should verify with the vendor advisory that their service instance is updated to version 5.0.0 or later to ensure protection against this vulnerability. Patch status is confirmed by the vendor's release of version 5.0.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-30T18:49:06.711Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a028779cbff5d86108b80ab
Added to database: 5/12/2026, 1:50:49 AM
Last enriched: 5/12/2026, 2:08:40 AM
Last updated: 5/12/2026, 3:45:41 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.