GHSA-824w-x939-6cmc: TensorZero Gateway: Arbitrary file read and SSRF in internal object storage endpoint
TensorZero Gateway versions prior to 2026.6.0 contain a vulnerability in the /internal/object_storage endpoint that allows arbitrary file read and server-side request forgery (SSRF). This occurs because the endpoint accepts a user-controlled JSON parameter that overrides object storage configuration, enabling attackers to read sensitive files or coerce outbound requests to internal or cloud metadata endpoints. The vulnerability requires access to the gateway and is mitigated by authentication if enabled. A patch is available in version 2026.6.0.
AI Analysis
Technical Summary
The TensorZero Gateway's /internal/object_storage endpoint accepts a JSON parameter 'storage_path' that overrides the [object_storage] configuration. By exploiting the 'filesystem' storage type, attackers can read arbitrary files on the gateway filesystem, potentially exposing sensitive credentials. By exploiting the 's3_compatible' storage type, attackers can force the gateway to make outbound requests to attacker-controlled internal or cloud metadata endpoints, resulting in SSRF. This vulnerability affects deployments accessible by untrusted callers and is mitigated if authentication is enabled. The issue is fixed in version 2026.6.0.
Potential Impact
An attacker with access to the vulnerable endpoint can read arbitrary files on the gateway filesystem, potentially exposing sensitive information such as credentials. Additionally, the attacker can induce the gateway to perform SSRF attacks by making it send requests to internal or cloud metadata endpoints. This can lead to information disclosure and potential further compromise of internal resources. The vulnerability does not impact integrity or availability directly but poses a high confidentiality risk.
Mitigation Recommendations
A patch fixing this vulnerability is available in TensorZero Gateway version 2026.6.0 and should be applied to affected deployments. If upgrading is not immediately possible, external access to the /internal/object_storage endpoint should be blocked to prevent exploitation. Deployments with authentication enabled limit exploitation to authenticated users only.
GHSA-824w-x939-6cmc: TensorZero Gateway: Arbitrary file read and SSRF in internal object storage endpoint
Description
TensorZero Gateway versions prior to 2026.6.0 contain a vulnerability in the /internal/object_storage endpoint that allows arbitrary file read and server-side request forgery (SSRF). This occurs because the endpoint accepts a user-controlled JSON parameter that overrides object storage configuration, enabling attackers to read sensitive files or coerce outbound requests to internal or cloud metadata endpoints. The vulnerability requires access to the gateway and is mitigated by authentication if enabled. A patch is available in version 2026.6.0.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The TensorZero Gateway's /internal/object_storage endpoint accepts a JSON parameter 'storage_path' that overrides the [object_storage] configuration. By exploiting the 'filesystem' storage type, attackers can read arbitrary files on the gateway filesystem, potentially exposing sensitive credentials. By exploiting the 's3_compatible' storage type, attackers can force the gateway to make outbound requests to attacker-controlled internal or cloud metadata endpoints, resulting in SSRF. This vulnerability affects deployments accessible by untrusted callers and is mitigated if authentication is enabled. The issue is fixed in version 2026.6.0.
Potential Impact
An attacker with access to the vulnerable endpoint can read arbitrary files on the gateway filesystem, potentially exposing sensitive information such as credentials. Additionally, the attacker can induce the gateway to perform SSRF attacks by making it send requests to internal or cloud metadata endpoints. This can lead to information disclosure and potential further compromise of internal resources. The vulnerability does not impact integrity or availability directly but poses a high confidentiality risk.
Mitigation Recommendations
A patch fixing this vulnerability is available in TensorZero Gateway version 2026.6.0 and should be applied to affected deployments. If upgrading is not immediately possible, external access to the /internal/object_storage endpoint should be blocked to prevent exploitation. Deployments with authentication enabled limit exploitation to authenticated users only.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-824w-x939-6cmc
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-54457"]
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a58b41268715ace43d68295
Added to database: 07/16/2026, 10:36:02 UTC
Last enriched: 07/16/2026, 10:55:11 UTC
Last updated: 07/16/2026, 10:55:11 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.