{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/tensorzero/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["pip/tensorzero (\u003c 2026.6.0)"],"_cs_severities":["high"],"_cs_tags":["arbitrary-file-read","ssrf","web-vulnerability","credential-access","discovery","cloud","pip-package"],"_cs_type":"advisory","_cs_vendors":["TensorZero"],"content_html":"\u003cp\u003eA high-severity vulnerability, identified as CVE-2026-54457, exists in the TensorZero Gateway's \u003ccode\u003e/internal/object_storage\u003c/code\u003e endpoint, affecting versions prior to 2026.6.0. This flaw allows an attacker to control the \u003ccode\u003estorage_path\u003c/code\u003e parameter by supplying a crafted JSON payload. By abusing the \u003ccode\u003efilesystem\u003c/code\u003e storage type, attackers can read arbitrary files from the gateway's filesystem, potentially exposing sensitive data like credentials. Furthermore, leveraging the \u003ccode\u003es3_compatible\u003c/code\u003e storage type enables Server-Side Request Forgery (SSRF), coercing the gateway into making outbound requests to attacker-specified internal or cloud-metadata endpoints. This vulnerability is exploitable by untrusted callers if the gateway has authentication disabled, or by authenticated callers if authentication is enabled. Successful exploitation can lead to credential theft, internal network mapping, and exfiltration of cloud resources, posing a significant risk to the affected infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a TensorZero Gateway instance with an accessible \u003ccode\u003e/internal/object_storage\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker constructs a malicious JSON payload designed to manipulate the \u003ccode\u003estorage_path\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eTo achieve arbitrary file reading, the attacker sets the JSON \u003ccode\u003estorage_type\u003c/code\u003e to \u003ccode\u003efilesystem\u003c/code\u003e and specifies a local file path (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to the \u003ccode\u003e/internal/object_storage\u003c/code\u003e endpoint with the crafted JSON payload, potentially URL-encoded, as a parameter or in the request body.\u003c/li\u003e\n\u003cli\u003eThe vulnerable TensorZero Gateway processes the request, overriding its object storage configuration and reading the specified local file.\u003c/li\u003e\n\u003cli\u003eThe gateway returns the content of the arbitrary file in its response, completing the arbitrary file read.\u003c/li\u003e\n\u003cli\u003eAlternatively, to perform Server-Side Request Forgery (SSRF), the attacker sets the JSON \u003ccode\u003estorage_type\u003c/code\u003e to \u003ccode\u003es3_compatible\u003c/code\u003e and specifies an internal IP address or a cloud-metadata endpoint URL (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe gateway is coerced into making an outbound request to the attacker-controlled endpoint, returning the response which could contain internal network information or cloud credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54457 allows attackers to read arbitrary files from the TensorZero Gateway's filesystem, potentially exposing sensitive configuration files, system credentials, or other confidential data. The Server-Side Request Forgery (SSRF) capability further enables attackers to perform internal network reconnaissance, access internal services, and exfiltrate cloud metadata, such as AWS IAM role credentials, which can lead to broader cloud resource compromise. While the vulnerability requires authentication if enabled, unauthenticated access is possible if the gateway's authentication is disabled, significantly broadening the attack surface. This could lead to a complete compromise of the gateway and further lateral movement within an organization's network or cloud environment. The vulnerability has been patched in version 2026.6.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-54457 immediately by upgrading TensorZero Gateway to version \u003ccode\u003e2026.6.0\u003c/code\u003e or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not possible for a gateway exposed to untrusted callers, block external access to the \u003ccode\u003e/internal/object_storage\u003c/code\u003e endpoint at the network perimeter.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect exploitation attempts against this vulnerability in your web server logs.\u003c/li\u003e\n\u003cli\u003eEnsure web server logs are configured to capture full HTTP POST request bodies for the \u003ccode\u003e/internal/object_storage\u003c/code\u003e endpoint to improve detection fidelity against this type of exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T22:01:39Z","date_published":"2026-07-15T22:01:39Z","id":"https://feed.craftedsignal.io/briefs/2026-07-tensorzero-gateway-rce-ssrf/","summary":"A high-severity vulnerability (CVE-2026-54457) in the TensorZero Gateway's `/internal/object_storage` endpoint allows attackers to achieve arbitrary file reading from the gateway filesystem and Server-Side Request Forgery (SSRF) by manipulating the `storage_path` parameter, potentially leading to credential exposure and internal network reconnaissance.","title":"TensorZero Gateway Arbitrary File Read and SSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-tensorzero-gateway-rce-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - TensorZero","version":"https://jsonfeed.org/version/1.1"}