oxyno-zeta/s3-proxy Critical Auth Bypass (CVE-2026-42882)
A critical authentication bypass (CVE-2026-42882) has been identified in oxyno-zeta/s3-proxy, a Go-based AWS S3 proxy. The National Vulnerability Database reports that versions prior to 5.0.0 are vulnerable due to an inconsistency in URL path interpretation between the authentication middleware and the bucket handler. Specifically, the authentication layer processes percent-encoded URIs, while the S3 object key construction uses the decoded path. This mismatch, coupled with improper glob library usage, creates a severe security flaw.
This vulnerability allows unauthenticated attackers to perform unauthorized PUT, GET, or DELETE operations on objects within protected S3 namespaces. The National Vulnerability Database outlines three distinct exploitation techniques: path traversal using * patterns across path separators, leveraging percent-encoded slashes (%2F) to bypass authentication, and exploiting dot-dot segments (../) under prefix patterns. The impact is direct and severe: data exfiltration, modification, or deletion without any authentication, rated with a CVSS score of 9.4 (CRITICAL).
For defenders, this is a clear and present danger. An unauthenticated attacker with network access can bypass all controls. The fix is in version 5.0.0. If you’re running this proxy, patching is not optional; it’s an immediate requirement. This isn’t theoretical – it’s a fundamental design flaw that’s ripe for exploitation. Any organization using this proxy is exposed.
What This Means For You
- If your organization uses oxyno-zeta/s3-proxy, you are critically exposed to unauthenticated data manipulation and exfiltration. Immediately upgrade to version 5.0.0 or later to patch CVE-2026-42882. Audit your S3 access logs for any unauthorized PUT, GET, or DELETE operations prior to patching, especially if you're running vulnerable versions.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42882 - S3 Proxy Authentication Bypass via Path Traversal
title: CVE-2026-42882 - S3 Proxy Authentication Bypass via Path Traversal
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-42882 by leveraging path traversal techniques within the oxyno-zeta/s3-proxy. This rule specifically looks for URI patterns that indicate an attempt to bypass authentication by navigating through directories or using percent-encoded slashes to access protected S3 namespaces.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42882/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/open/foo/drafts/../restricted/'
- '/open/foo/restricted/%2e%2e/'
- '/open/foo/%2e%2e/restricted/'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42882 | Auth Bypass | oxyno-zeta/s3-proxy versions prior to 5.0.0 |
| CVE-2026-42882 | Auth Bypass | Inconsistent URL path interpretation between authentication middleware and bucket handler in s3-proxy |
| CVE-2026-42882 | Path Traversal | Exploitation via percent-encoded slashes (%2F) or dot-dot segments (../) in s3-proxy |
| CVE-2026-42882 | Auth Bypass | Unauthorized PUT, GET, or DELETE operations on S3 objects in protected namespaces via s3-proxy |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 11, 2026 at 23:25 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-43874: WWBN AVideo WebSocket Vulnerability Allows RCE
CVE-2026-43874 — WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval...
Pi-hole Privilege Escalation via Systemd Scripts (CVE-2026-41489)
CVE-2026-41489 — Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and...
CVE-2026-8321: Inkeep Agents Authentication Bypass Vulnerability
CVE-2026-8321 — A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware....