seaweedfs

v4.27 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 14d Cloud Management

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

blob-storage cloud-drive distributed-file-system distributed-storage distributed-systems erasure-coding

+10 more

fuse hadoop-hdfs hdfs kubernetes s3 posix replication s3-storage seaweedfs tiered-file-system

Affected surfaces

auth rbac

Summary

AI summary

FUSE Mount fixes, S3 API enhancements and security checks, Volume Server stability improvements, Admin/Worker upload changes, Filer atime support.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	verify source permission on CopyObject and UploadPartCopy verify source permission on CopyObject and UploadPartCopy Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature
Feature	Medium	load -s3.config static identities into the filer's CredentialManager load -s3.config static identities into the filer's CredentialManager Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	keep host-less bucket catch-all so reverse proxies work keep host-less bucket catch-all so reverse proxies work Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	support group inline policies + Condition enforcement support group inline policies + Condition enforcement Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	stub bucket configuration list endpoints stub bucket configuration list endpoints Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	add four bucket configuration handlers add four bucket configuration handlers Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	add TagUser, UntagUser, ListUserTags IAM actions add TagUser, UntagUser, ListUserTags IAM actions Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	accept legacy needle CRC encoding on read accept legacy needle CRC encoding on read Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	switch file browser upload/download to filer gRPC + volume HTTP switch file browser upload/download to filer gRPC + volume HTTP Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	add atime to FuseAttributes + TouchAccessTime RPC add atime to FuseAttributes + TouchAccessTime RPC Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix
Bugfix	Medium	don't release file handles from FUSE Forget don't release file handles from FUSE Forget Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	keep periodic metadata flush from dropping concurrent chunk uploads keep periodic metadata flush from dropping concurrent chunk uploads Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	keep anonymous access working with EnableIam default keep anonymous access working with EnableIam default Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	stop S3 Tables routes from swallowing buckets named "buckets" or "get-table" stop S3 Tables routes from swallowing buckets named "buckets" or "get-table" Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	reject 0-byte .ecx and aggregate cross-disk failures reject 0-byte .ecx and aggregate cross-disk failures Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	remove partial files on copy stream error remove partial files on copy stream error Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	reopen .idx writable after MarkVolumeWritable reopen .idx writable after MarkVolumeWritable Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	tombstone integrity check no longer flips volumes read-only tombstone integrity check no longer flips volumes read-only Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	VolumeEcShardsInfo walks every disk on multi-disk servers VolumeEcShardsInfo walks every disk on multi-disk servers Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	include disk_id in EC execution plan include disk_id in EC execution plan Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	attach admin JWT for filer IAM gRPC calls attach admin JWT for filer IAM gRPC calls Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	show one entry per physical disk on multi-disk nodes show one entry per physical disk on multi-disk nodes Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	reserve mini ports on all interfaces; bound risingwave cleanup shell reserve mini ports on all interfaces; bound risingwave cleanup shell Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Other	Medium	Revise MinIO comparison in README for accuracy Revise MinIO comparison in README for accuracy Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—

Full changelog

What's Changed

FUSE Mount
- fix(mount): don't release file handles from FUSE Forget by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9529
- fix(mount): keep periodic metadata flush from dropping concurrent chunk uploads by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9574
S3 API
- fix(filer): load -s3.config static identities into the filer's CredentialManager by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9537
- fix(s3): keep host-less bucket catch-all so reverse proxies work by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9540
- s3api: verify source permission on CopyObject and UploadPartCopy by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9555
- fix(s3): keep anonymous access working with EnableIam default (fixes #9557) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9567
- fix(s3): stop S3 Tables routes from swallowing buckets named "buckets" or "get-table" by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9566
- s3api: support group inline policies + Condition enforcement by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9569
- feat(s3): stub bucket configuration list endpoints by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9571
- feat(s3): add four bucket configuration handlers by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9570
- feat(s3): add TagUser, UntagUser, ListUserTags IAM actions by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9572
Volume Server
- fix(ec_mount): reject 0-byte .ecx and aggregate cross-disk failures by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9542
- fix(ec_distribute): remove partial files on copy stream error by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9543
- fix(volume): reopen .idx writable after MarkVolumeWritable (fixes #9515) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9526
- volume: accept legacy needle CRC encoding on read by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9564
- fix(volume): tombstone integrity check no longer flips volumes read-only (fixes #9563) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9565
- fix(ec): VolumeEcShardsInfo walks every disk on multi-disk servers by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9568
Admin Server and Worker
- fix(admin.plugin): include disk_id in EC execution plan by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9547
- fix(admin): switch file browser upload/download to filer gRPC + volume HTTP by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9538
Filer
- feat(filer): add atime to FuseAttributes + TouchAccessTime RPC by @petedodd-pd in https://github.com/seaweedfs/seaweedfs/pull/9556
Shell
- fix(shell): attach admin JWT for filer IAM gRPC calls by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9536
- fix(volume.list): show one entry per physical disk on multi-disk nodes by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9541
Misc
- fix(test): reserve mini ports on all interfaces; bound risingwave cleanup shell by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9545
- Revise MinIO comparison in README for accuracy by @ser in https://github.com/seaweedfs/seaweedfs/pull/9548
- chore(weed/command): prune unused functions by @alrs in https://github.com/seaweedfs/seaweedfs/pull/9573

New Contributors

@ser made their first contribution in https://github.com/seaweedfs/seaweedfs/pull/9548

Full Changelog: https://github.com/seaweedfs/seaweedfs/compare/4.26...4.27

Security Fixes

s3api: verify source permission on CopyObject and UploadPartCopy

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track seaweedfs

Get notified when new releases ship.

About seaweedfs

SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables, designed to handle billions of files with O(1) disk access and effortless horizontal scaling.

All releases →

Related context

Related tools

Earlier breaking changes

v4.24 Version 4.23 is unsafe with multiple disks when using erasure coding (EC).