EXECUTIVE SUMMARY:
CVE-2026-42882 with a CVSS score of 9.4 is a critical vulnerability in the S3-Proxy implementation of go/github.com/oxyno-zeta/s3-proxy, specifically affecting versions prior to 0.0.0-20260424211602-1320e4abd46a. The vulnerability arises from a mismatch between how Go's net/http decodes percent-encoded characters in URLs and how s3-proxy uses different fields for path representation, leading to a path traversal issue. An attacker can exploit this vulnerability by crafting a malicious URL with percent-encoded segments, forcing s3-proxy to treat them as separate path segments. This allows the attacker to bypass authentication and read or delete objects in a protected namespace without credentials, subsequently gaining the capability to access sensitive data. The business impact of this vulnerability is severe, as it enables unauthorized access to sensitive data, potentially leading to data breaches, financial losses, or reputational damage. For exploitation, an attacker requires access to the s3-proxy system, either through a network connection or by manipulating the system's configuration files, and the ability to craft a malicious URL with the necessary percent-encoded segments.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-42882 with a CVSS score of 9.4 is a critical vulnerability in the S3-Proxy implementation of go/github.com/oxyno-zeta/s3-proxy, specifically affecting versions prior to 0.0.0-20260424211602-1320e4abd46a. The vulnerability arises from a mismatch between how Go's net/http decodes percent-encoded characters in URLs and how s3-proxy uses different fields for path representation, leading to a path traversal issue. An attacker can exploit this vulnerability by crafting a malicious URL with percent-encoded segments, forcing s3-proxy to treat them as separate path segments. This allows the attacker to bypass authentication and read or delete objects in a protected namespace without credentials, subsequently gaining the capability to access sensitive data. The business impact of this vulnerability is severe, as it enables unauthorized access to sensitive data, potentially leading to data breaches, financial losses, or reputational damage. For exploitation, an attacker requires access to the s3-proxy system, either through a network connection or by manipulating the system's configuration files, and the ability to craft a malicious URL with the necessary percent-encoded segments.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-rfgq-wgg8-662p