GHSA-824w-x939-6cmcHighCVSS 7.7

TensorZero Gateway: Arbitrary file read and SSRF in internal object storage endpoint

Published
July 15, 2026
Last Modified
July 15, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

The /internal/object_storage endpoint accepts a caller-supplied JSON storage_path parameter that dynamically overrides the TensorZero [object_storage] configuration.

By abusing the filesystem storage type, a caller can read arbitrary files from the gateway filesystem, including files that may contain sensitive credentials. Similarly, by abusing the s3_compatible storage type, the caller can coerce the gateway into making outbound object storage requests to attacker-chosen internal/cloud-metadata endpoints.

This vulnerability only applies when the gateway can be accessed by untrusted callers. If a developer's TensorZero deployment has authentication enabled, only authenticated callers can exploit this vulnerability. If a developer's deployment has authentication disabled, any caller can exploit this vulnerability.

Remediation

The vulnerability has been patched in version 2026.6.0. See PR #7527.

Workarounds

If developers are unable to upgrade a gateway that is exposed to untrusted callers, please block external access to the /internal/object_storage endpoint.

🎯 Affected products1

  • pip/tensorzero:< 2026.6.0

🔗 References (4)