seaweedfs

v4.24 Breaking

This release includes 3 breaking changes for platform teams planning a safe upgrade.

Published 20d Cloud Management

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

blob-storage cloud-drive distributed-file-system distributed-storage distributed-systems erasure-coding

+10 more

fuse hadoop-hdfs hdfs kubernetes s3 posix replication s3-storage seaweedfs tiered-file-system

Affected surfaces

breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 13d

SeaWeedFS 4.24 requires admin authentication on destructive volume endpoints (ReadAllNeedles, BatchDelete, FetchAndWriteNeedle) and reverses IAM default: users with empty policies are now denied instead of granted. Adds OIDC provider support and fixes data loss on transient IO errors.

Why it matters: Destructive volume endpoints now require admin auth; empty IAM policies shift from allow-all to denied. Existing deployments may break on IAM access changes. Pre-production testing essential. OIDC support enables federated identity integration.

Summary

AI summary

EC planner treats each (server, disk_id) as a distinct target and requires admin auth for several destructive volume operations.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Add HMAC-SHA256 key commitment to SSE-S3 and SSE-KMS. Add HMAC-SHA256 key commitment to SSE-S3 and SSE-KMS. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Encrypt SSE-S3 KEK at rest with AES-GCM wrapping. Encrypt SSE-S3 KEK at rest with AES-GCM wrapping. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Scope JWT allowed_prefixes to path components. Scope JWT allowed_prefixes to path components. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Restrict Ping RPC to known peers of requested type. Restrict Ping RPC to known peers of requested type. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Deny IAM users with no policies instead of granting full access. Deny IAM users with no policies instead of granting full access. Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Add authentication to destructive gRPC admin endpoints. Add authentication to destructive gRPC admin endpoints. Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Require admin auth on ReadAllNeedles and VolumeNeedleStatus endpoints. Require admin auth on ReadAllNeedles and VolumeNeedleStatus endpoints. Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Require admin auth on BatchDelete endpoint. Require admin auth on BatchDelete endpoint. Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Gate FetchAndWriteNeedle behind admin auth and refuse internal endpoints. Gate FetchAndWriteNeedle behind admin auth and refuse internal endpoints. Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Require admin-signed JWT on the IAM gRPC service. Require admin-signed JWT on the IAM gRPC service. Source: llm_adapter@2026-05-21 Confidence: low	—
Breaking	High	Version 4.23 is unsafe with multiple disks when using erasure coding (EC). Version 4.23 is unsafe with multiple disks when using erasure coding (EC). Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Feature
Feature	Medium	OIDC provider store and read-only IAM API support. OIDC provider store and read-only IAM API support. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	OIDC provider mutations, multi-client support, and TLS thumbprints. OIDC provider mutations, multi-client support, and TLS thumbprints. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Principal session tags extracted from OIDC tokens. Principal session tags extracted from OIDC tokens. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Claim-based policy mode for AssumeRoleWithWebIdentity. Claim-based policy mode for AssumeRoleWithWebIdentity. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Account-scoped OIDC providers. Account-scoped OIDC providers. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Opt-in session revocation via JTI blocklist. Opt-in session revocation via JTI blocklist. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Metadata event driven S3 lifecycle enforcement. Metadata event driven S3 lifecycle enforcement. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	OIDC provider audit trail. OIDC provider audit trail. Source: llm_adapter@2026-05-21 Confidence: low	—
Performance
Performance	Medium	Stream chunk copy via io.Pipe to reduce peak working memory. Stream chunk copy via io.Pipe to reduce peak working memory. Source: llm_adapter@2026-05-21 Confidence: high	—
Performance	Medium	Pre-size ParseUpload buffer to request ContentLength. Pre-size ParseUpload buffer to request ContentLength. Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	Full-chunk gzip pass-through skips volume-side decompression. Full-chunk gzip pass-through skips volume-side decompression. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	Prevent data loss on transient IO errors instead of nuking local data. Prevent data loss on transient IO errors instead of nuking local data. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Verify full shard set before deleting source volume. Verify full shard set before deleting source volume. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Prevent panic on read when needle map is nil. Prevent panic on read when needle map is nil. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Repair dangling latest-version pointer after partial delete. Repair dangling latest-version pointer after partial delete. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	EC planner treats each server/disk_id combination as distinct target. EC planner treats each server/disk_id combination as distinct target. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Preserve user-set mtime through async/periodic flush. Preserve user-set mtime through async/periodic flush. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Skip pressure-eviction of gappy page chunks in FUSE mount. Skip pressure-eviction of gappy page chunks in FUSE mount. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Enable multi-disk same-server EC reads with full-lifecycle integration test. Enable multi-disk same-server EC reads with full-lifecycle integration test. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Don't move remote-tiered volumes in balance operation. Don't move remote-tiered volumes in balance operation. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Quiet noisy 'shard X not found' logs for EC shards on other servers. Quiet noisy 'shard X not found' logs for EC shards on other servers. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Bugfix	Medium	Don't move remote‑tiered volumes during balance and avoid fatal errors on missing .idx files. Don't move remote‑tiered volumes during balance and avoid fatal errors on missing .idx files. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Bugfix	Medium	Cap copy‑chunk receive buffer to avoid append‑grow memory blowup in S3 API. Cap copy‑chunk receive buffer to avoid append‑grow memory blowup in S3 API. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Bugfix	Medium	Limit pool retention so chunk‑copy buffers don't hoard memory. Limit pool retention so chunk‑copy buffers don't hoard memory. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—

Full changelog

Important note

4.23 is not safe when there are multiple disks configured and erasure coding(EC) is using the worker. The worker added a capability to distribute EC shards to different disks to ensure proper shard distribution. However, the volume server fails to loaded the EC shards, because the EC index could be on a different peer disk.

What's Changed

Table Buckets and Iceberg Catalog
- test(s3tables): add Apache Doris Iceberg catalog integration test by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9307
- test(s3tables): Unity Catalog OSS integration tests against SeaweedFS by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9308
Volume Server
- quiet noisy 'shard X not found' log when EC shard lives on another server by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9316
- fix(balance): don't move remote-tiered volumes; don't fatal on missing .idx by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9335
- fix(volume): don't panic on read when needle map is nil by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9342
- fix(ec): planner treats each (server, disk_id) as a distinct target (#9369) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9371
- volume: require admin auth on ReadAllNeedles and VolumeNeedleStatus by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9437
- volume: require admin auth on BatchDelete by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9438
- fix(volume): don't nuke local data on transient IO error (#9378) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9382
- fix(volume): sticky EIO quarantine; track streamed reads by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9384
- fix(volume): pre-size ParseUpload buffer to request ContentLength by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9421
- perf(volume): stream-count the gzip size when no Content-MD5 is set by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9433
- fix(ec): preserve source disk type across EC encoding (#9423) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9449
- fix(ec): skip re-encode when EC shards already exist for the volume (#9448) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9458
- fix(storage): refuse to load .vif-only entry as regular volume when .ecx exists (#9448) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9461
- volume: gate FetchAndWriteNeedle behind admin auth and refuse internal endpoints by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9441
- fix(storage): prune partial EC shards when sibling disk has healthy .dat (#9478) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9480
- fix(volume): seed indexFileOffset in SortedFileNeedleMap so Delete appends by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9483
- fix(ec): make multi-disk same-server EC reads work + full-lifecycle integration test by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9487
- fix(ec): verify full shard set before deleting source volume (#9490) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9493
Misc
- fix(volume): add authentication to destructive gRPC admin endpoints by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/8876
- chore(weed/mq/kafka/protocol): remove unused functions and variables by @alrs in https://github.com/seaweedfs/seaweedfs/pull/9488
- chore(weed/util/chunk_cache): remove unused functions by @alrs in https://github.com/seaweedfs/seaweedfs/pull/9372
- fix(pb): skip Unix-socket gRPC registration on Windows (#9430) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9434
- chore(weed/util/log_buffer): remove unused functions by @alrs in https://github.com/seaweedfs/seaweedfs/pull/9444
- shell: expose retention flags on mq.topic.configure by @pmiriyev in https://github.com/seaweedfs/seaweedfs/pull/9416
- cluster: restrict Ping RPC to known peers of the requested type by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9445
Mini Mode
- fix(mini): raise admin readiness timeout to 2 minutes by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9329
S3
- fix(iam): deny IAM users with no policies instead of granting full access by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9317
- fix(s3): add HMAC-SHA256 key commitment to SSE-S3 and SSE-KMS by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/8879
- fix(s3): encrypt SSE-S3 KEK at rest with AES-GCM wrapping by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/8880
- feat(iam): STS web-identity AWS-fidelity polish (Phase 1) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9318
- feat(iam): OIDC provider store + read-only IAM API (Phase 2a) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9319
- fix(test/s3/policy): allocate fresh admin port per subtest by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9332
- feat(iam): OIDC provider mutations + multi-client + TLS thumbprints (Phase 2b) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9320
- feat(iam): principal session tags from OIDC tokens (Phase 3a) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9321
- feat(iam): claim-based policy mode for AssumeRoleWithWebIdentity (Phase 3b) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9322
- fix(iam): reject empty issuer in ComputeParentUser by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9326
- feat(iam): account-scoped OIDC providers (Phase 3c) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9323
- feat(iam): opt-in session revocation via JTI blocklist (Phase 3d) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9324
- feat(iam): OIDC provider audit trail (Phase 3e) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9325
- fix(iam): four phase-3 follow-ups (provider scoping, public path wrapper, static mirror, claim-mode RoleArn) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9333
- fix(s3api): cap copy-chunk receive buffer to avoid append-grow blowup by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9420
- fix: cap pool retention so chunk-copy buffers don't hoard memory by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9422
- feat(s3api): stream chunk copy via io.Pipe to cut peak working set by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9424
- feat(s3api): full-chunk gzip pass-through skips volume-side decompress by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9427
- feat(s3): stamp noncurrent_since on versioned demotions by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9431
- fix(s3/audit): emit audit log for successful GET/HEAD by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9467
- fix(s3/versioning): repair dangling latest-version pointer after partial delete by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9460
- feat(s3/versioning): grep-able heal logs + scan-anomaly diagnostics + audit cmd by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9468
S3 Lifecycle
- A series of PRs to implement metadata event driven lifecycle enforcement
Admin Server and Worker
- fix(admin/view): wrap plugin history URL with basePath by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9341
- Fix UI prefix url encoding by @msk-psp in https://github.com/seaweedfs/seaweedfs/pull/9344
FUSE mount
- fix(mount): skip pressure-eviction of gappy page chunks (#9330) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9334
- fix(mount): preserve user-set mtime through async/periodic flush (#9363) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9370
- fix(mount): fall through to filer when cached dir misses a tracked inode by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9436
Shell
- fix(shell): scope volume.fsck filer walk when -volumeId selects one bucketed collection by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9347
Master
- fix(master): route ec shard vids to NewEcVids on initial subscribe by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9435
Filer
- filer: scope JWT allowed_prefixes to path components by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9439
- filer: require admin-signed JWT on the IAM gRPC service by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9442

New Contributors

@msk-psp made their first contribution in https://github.com/seaweedfs/seaweedfs/pull/9344

Full Changelog: https://github.com/seaweedfs/seaweedfs/compare/4.23...4.24

Breaking Changes

EC planner treats each (server, disk_id) as a distinct target (#9369).
Volume server requires admin authentication on ReadAllNeedles and VolumeNeedleStatus.
Volume server requires admin authentication on BatchDelete.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track seaweedfs

Get notified when new releases ship.

About seaweedfs

SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables, designed to handle billions of files with O(1) disk access and effortless horizontal scaling.

All releases →