VDB
KO
HIGH 7.7

GHSA-824w-x939-6cmc

TensorZero Gateway: Arbitrary file read and SSRF in internal object storage endpoint

Details

### Impact

The `/internal/object_storage` endpoint accepts a caller-supplied JSON `storage_path` parameter that dynamically overrides the TensorZero `[object_storage]` configuration.

By abusing the `filesystem` storage type, a caller can read arbitrary files from the gateway filesystem, including files that may contain sensitive credentials. Similarly, by abusing the `s3_compatible` storage type, the caller can coerce the gateway into making outbound object storage requests to attacker-chosen internal/cloud-metadata endpoints.

This vulnerability only applies when the gateway can be accessed by untrusted callers. If a developer's TensorZero deployment has authentication enabled, only authenticated callers can exploit this vulnerability. If a developer's deployment has authentication disabled, any caller can exploit this vulnerability.

### Remediation

The vulnerability has been patched in version `2026.6.0`. See PR #7527.

### Workarounds

If developers are unable to upgrade a gateway that is exposed to untrusted callers, please block external access to the `/internal/object_storage` endpoint.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / tensorzero
Introduced in: 0 Fixed in: 2026.6.0
Fix pip install --upgrade 'tensorzero>=2026.6.0'

References