<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>TensorZero - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/tensorzero/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 22:01:39 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/tensorzero/feed.xml" rel="self" type="application/rss+xml"/><item><title>TensorZero Gateway Arbitrary File Read and SSRF Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-tensorzero-gateway-rce-ssrf/</link><pubDate>Wed, 15 Jul 2026 22:01:39 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-tensorzero-gateway-rce-ssrf/</guid><description>A high-severity vulnerability (CVE-2026-54457) in the TensorZero Gateway's `/internal/object_storage` endpoint allows attackers to achieve arbitrary file reading from the gateway filesystem and Server-Side Request Forgery (SSRF) by manipulating the `storage_path` parameter, potentially leading to credential exposure and internal network reconnaissance.</description><content:encoded><![CDATA[<p>A high-severity vulnerability, identified as CVE-2026-54457, exists in the TensorZero Gateway's <code>/internal/object_storage</code> endpoint, affecting versions prior to 2026.6.0. This flaw allows an attacker to control the <code>storage_path</code> parameter by supplying a crafted JSON payload. By abusing the <code>filesystem</code> storage type, attackers can read arbitrary files from the gateway's filesystem, potentially exposing sensitive data like credentials. Furthermore, leveraging the <code>s3_compatible</code> storage type enables Server-Side Request Forgery (SSRF), coercing the gateway into making outbound requests to attacker-specified internal or cloud-metadata endpoints. This vulnerability is exploitable by untrusted callers if the gateway has authentication disabled, or by authenticated callers if authentication is enabled. Successful exploitation can lead to credential theft, internal network mapping, and exfiltration of cloud resources, posing a significant risk to the affected infrastructure.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a TensorZero Gateway instance with an accessible <code>/internal/object_storage</code> endpoint.</li>
<li>The attacker constructs a malicious JSON payload designed to manipulate the <code>storage_path</code> parameter.</li>
<li>To achieve arbitrary file reading, the attacker sets the JSON <code>storage_type</code> to <code>filesystem</code> and specifies a local file path (e.g., <code>/etc/passwd</code>).</li>
<li>The attacker sends an HTTP POST request to the <code>/internal/object_storage</code> endpoint with the crafted JSON payload, potentially URL-encoded, as a parameter or in the request body.</li>
<li>The vulnerable TensorZero Gateway processes the request, overriding its object storage configuration and reading the specified local file.</li>
<li>The gateway returns the content of the arbitrary file in its response, completing the arbitrary file read.</li>
<li>Alternatively, to perform Server-Side Request Forgery (SSRF), the attacker sets the JSON <code>storage_type</code> to <code>s3_compatible</code> and specifies an internal IP address or a cloud-metadata endpoint URL (e.g., <code>http://169.254.169.254/latest/meta-data/</code>).</li>
<li>The gateway is coerced into making an outbound request to the attacker-controlled endpoint, returning the response which could contain internal network information or cloud credentials.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-54457 allows attackers to read arbitrary files from the TensorZero Gateway's filesystem, potentially exposing sensitive configuration files, system credentials, or other confidential data. The Server-Side Request Forgery (SSRF) capability further enables attackers to perform internal network reconnaissance, access internal services, and exfiltrate cloud metadata, such as AWS IAM role credentials, which can lead to broader cloud resource compromise. While the vulnerability requires authentication if enabled, unauthenticated access is possible if the gateway's authentication is disabled, significantly broadening the attack surface. This could lead to a complete compromise of the gateway and further lateral movement within an organization's network or cloud environment. The vulnerability has been patched in version 2026.6.0.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-54457 immediately by upgrading TensorZero Gateway to version <code>2026.6.0</code> or later to remediate the vulnerability.</li>
<li>If immediate upgrade is not possible for a gateway exposed to untrusted callers, block external access to the <code>/internal/object_storage</code> endpoint at the network perimeter.</li>
<li>Deploy the provided Sigma rule to detect exploitation attempts against this vulnerability in your web server logs.</li>
<li>Ensure web server logs are configured to capture full HTTP POST request bodies for the <code>/internal/object_storage</code> endpoint to improve detection fidelity against this type of exploitation.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>arbitrary-file-read</category><category>ssrf</category><category>web-vulnerability</category><category>credential-access</category><category>discovery</category><category>cloud</category><category>pip-package</category></item></channel></rss>