Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-42882
Summary
The original concern is functional: a resource pattern should treat a percent-encoded segment like some%2Fvalue as a single opaque token rather than splitting it into two path segments at the decoded /. Investigation into why %2F was being decoded and how routes matched against the result surfaced three related security issues. The vulnerabilities are authentication bypass issues caused by inconsistent URL path handling and overly permissive wildcard matching. Attackers can exploit %2F encoded slashes or ../ path traversal sequences to access or write to protected S3 namespaces without authentication due to mismatches between encoded and decoded path processing. All versions prior to 5.0.0 are affected.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- LOW
CWE-22 - Path Traversal
Path traversal (or directory traversal), is a vulnerability that allows malicious users to traverse the server's root directory, gaining access to arbitrary files and folders such as application code & data, back-end credentials, and sensitive operating system files. In the worst-case scenario, an attacker could potentially execute arbitrary files on the server, resulting in a denial of service attack. Such an exploit may severely impact the integrity, confidentiality, and availability of an application.
References
Advisory Timeline
- Published
