From 571338a474f694801ca03c66239613aef9deb744 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Fri, 2 Jan 2026 18:29:24 -0800
Subject: [PATCH] Fix variable scoping in verifyV4Signature for STS session
 token validation

---
 weed/s3api/auth_signature_v4.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/weed/s3api/auth_signature_v4.go b/weed/s3api/auth_signature_v4.go
index 714f0a86c..60ddf7218 100644
--- a/weed/s3api/auth_signature_v4.go
+++ b/weed/s3api/auth_signature_v4.go
@@ -205,6 +205,8 @@ func (iam *IdentityAccessManagement) verifyV4Signature(r *http.Request, shouldCh
 		return nil, nil, "", nil, errCode
 	}
 
+	var cred *Credential
+
 	// 2. Check for STS session token
 	if sessionToken := r.Header.Get("X-Amz-Security-Token"); sessionToken != "" {
 		// Validate STS session token
@@ -214,7 +216,8 @@ func (iam *IdentityAccessManagement) verifyV4Signature(r *http.Request, shouldCh
 		}
 	} else {
 		// 3. Lookup user and credentials
-		identity, cred, found := iam.lookupByAccessKey(authInfo.AccessKey)
+		var found bool
+		identity, cred, found = iam.lookupByAccessKey(authInfo.AccessKey)
 		if !found {
 			// Log detailed error information for InvalidAccessKeyId
 			iam.m.RLock()