CVE Catalog

CVE-2026-42882

Critical
Published: Translated: NVD NIST

Summary

In versions prior to 5.0.0, s3-proxy contains an authentication bypass due to inconsistent URL path interpretation between the authentication middleware and the bucket handler. This vulnerability allows unauthenticated attackers to access protected S3 namespaces.

Risk Assessment

Organizations may be exposed to unauthorized access to S3 data, potentially leading to loss of confidentiality, integrity, and availability of data.

Recommendation

It is recommended to upgrade s3-proxy to version 5.0.0 or later to mitigate this vulnerability and review S3 configuration security.

Original NVD description (English source)

oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware and the bucket handler. The authentication middleware evaluates resource path patterns against the percent-encoded request URI (r.URL.RequestURI()), while the bucket handler constructs S3 object keys from the decoded path (r.URL.Path). This mismatch, combined with the glob library being invoked without a path separator (causing * to match across / boundaries), allows unauthenticated attackers to write to, read from, or delete objects in protected S3 namespaces. Exploitation is possible via three techniques: (1) using * patterns that match across path separators to reach protected routes via path traversal (e.g., /open/foo/drafts/../restricted/), (2) using percent-encoded slashes (%2F) to collapse multiple path segments into a single token at the auth layer while the decoded form resolves to

Vulnerability data from NVD (NIST) · CISA KEV · EPSS