TensorZero Gateway: Arbitrary file read and SSRF in internal object storage endpoint
Impact
The /internal/object_storage endpoint accepts a caller-supplied JSON storage_path parameter that dynamically overrides the TensorZero [object_storage] configuration.
By abusing the filesystem storage type, a caller can read arbitrary files from the gateway filesystem, including files that may contain sensitive credentials. Similarly, by abusing the s3_compatible storage type, the caller can coerce the gateway into making outbound object storage requests to attacker-chosen internal/cloud-metadata endpoints.
This vulnerability only applies when the gateway can be accessed by untrusted callers. If a developer's TensorZero deployment has authentication enabled, only authenticated callers can exploit this vulnerability. If a developer's deployment has authentication disabled, any caller can exploit this vulnerability.
Remediation
The vulnerability has been patched in version 2026.6.0. See PR #7527.
Workarounds
If developers are unable to upgrade a gateway that is exposed to untrusted callers, please block external access to the /internal/object_storage endpoint.