External risk intelligence

S3 proxy allows attackers to read or change sensitive files in your storage.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-42882

An authentication bypass in oxyno-zeta/s3-proxy lets attackers read or change your sensitive S3 data from anywhere on the internet. Upgrade immediately.

4Halo Surface Signal

Path Traversal

External exposure likelihood

Halo Surface Signal score for CVE-2026-42882

The software is an HTTP-based proxy designed to mediate access to S3 object storage. By its nature as an edge service and gateway, it is commonly deployed to serve web content or API endpoints, often in network-accessible or internet-facing configurations to enable storage interaction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in the s3-proxy software could allow an unauthenticated attacker to bypass access controls. The issue stems from how the software interprets file paths differently during authentication and when accessing S3 buckets, potentially enabling unauthorized actions on sensitive data.

  • Attackers can read, write, or delete data.
  • The vulnerability is reachable from the internet.
  • It impacts protected S3 namespaces.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted requests to the s3-proxy. The proxy's inconsistent handling of URL encoding and path interpretation allows attackers to bypass authentication checks. This bypass enables them to perform unauthorized actions like reading, writing, or deleting objects in protected S3 namespaces.

  • Network access required.
  • Target the proxy's authentication middleware.
  • Manipulate URL encoding and path traversal.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in oxyno-zeta/s3-proxy allows unauthenticated attackers to perform unauthorized read, write, or delete operations on S3 objects. The inconsistent interpretation of URL paths between authentication and the bucket handler, combined with specific glob patterns, enables attackers to bypass access controls. Given its nature as a proxy for S3, which is widely used for storing sensitive data, this vulnerability is attractive for attackers.

  • Authentication bypass flaw.
  • Affects network-accessible proxy.
  • Public exploit code not yet observed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize identifying all instances of oxyno-zeta/s3-proxy and immediately upgrading to version 5.0.0 or later to address the authentication bypass vulnerability. If upgrading is not feasible, implement network-level controls to restrict access to the affected proxy and closely monitor traffic for any signs of unauthorized S3 operations.

  • Upgrade s3-proxy to 5.0.0 or later.
  • Restrict network access to the proxy.
  • Monitor for unauthorized S3 object operations.

Frequently asked questions

What is oxyno-zeta/s3-proxy and its function?

oxyno-zeta/s3-proxy is a proxy for Amazon S3 storage, developed in Go. It is designed to manage and mediate access to objects stored in S3 buckets, acting as a gateway for applications and users interacting with cloud storage.

What type of vulnerability does CVE-2026-42882 represent and what is its weakness class?

CVE-2026-42882 is an authentication bypass vulnerability, classified under CWE-863 (Incorrect Security Decision) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory or 'Path Traversal'). This occurs due to the software's differing interpretation of URLs for authentication checks versus S3 bucket access.

How can an attacker exploit the CVE-2026-42882 vulnerability and what is the scope negation?

Attackers can exploit this by sending crafted requests that leverage inconsistent URL path interpretation. Techniques include using glob patterns that match across path separators, employing percent-encoded slashes to collapse path segments, or using dot-dot segments with specific prefix patterns, allowing bypass of authentication and access to protected S3 namespaces.

What is the relevance of CVE-2026-42882 in threat advisories, and what is its score?

This critical vulnerability (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L, base score 9.4) in oxyno-zeta/s3-proxy is relevant because it allows unauthenticated attackers network access to read, write, or delete objects in protected S3 namespaces. Halo Surface Signal assesses its potential impact as 'Likely' due to its nature as a network-accessible gateway for sensitive data storage.

What actions should be taken to respond to this vulnerability?

Teams should prioritize upgrading oxyno-zeta/s3-proxy to version 5.0.0 or later. If an immediate upgrade is not possible, implement network-level access controls to restrict proxy access and monitor for any unauthorized S3 object operations.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified