Skip to main content

RustFS CVE-2026-45044

| EUVDEUVD-2026-32994 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-05-28 GitHub_M
8.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 28, 2026 - 20:02 EUVD
Analysis Generated
May 28, 2026 - 19:27 vuln.today
CVSS changed
May 28, 2026 - 19:22 NVD
8.8 (HIGH)

DescriptionGitHub Advisory

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any unauthenticated HTTP client to invoke profiling handlers without credentials. On supported builds (e.g., glibc), the handler invokes a fixed 60-second CPU profiling operation (dump_cpu_pprof_for(Duration::from_secs(60))). This may result in significant CPU resource consumption per request and can potentially lead to denial of service when abused. Additionally, the handler returns the server’s absolute filesystem path in the response body, resulting in information disclosure. This vulnerability is fixed in 1.0.0-beta.2.

AnalysisAI

Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0-beta.2 allows remote attackers to repeatedly invoke profiling endpoints that the admin router whitelists from authentication. Each request triggers a fixed 60-second CPU profiling operation and leaks the server's absolute filesystem path in the response. CVSS 4.0 scores this 8.8 (High) driven by high availability impact; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Technical ContextAI

RustFS is a Rust-based S3-compatible distributed object storage system positioned as a MinIO alternative. The vulnerability lives in the admin HTTP router, which explicitly bypasses its authentication middleware for the /profile/cpu and /profile/memory routes. The CPU profiler handler is hard-coded to call dump_cpu_pprof_for(Duration::from_secs(60)) on supported builds such as glibc, producing a pprof-format profile and embedding the server's absolute filesystem path in the response body. The root cause is mapped to CWE-306 (Missing Authentication for Critical Function): security-sensitive diagnostic functionality is reachable without any credential check, and a long, fixed-duration server-side operation is exposed to anonymous callers.

RemediationAI

Vendor-released patch: upgrade to RustFS 1.0.0-beta.2 or later, which removes /profile/cpu and /profile/memory from the admin router's authentication whitelist; see https://github.com/rustfs/rustfs/security/advisories/GHSA-8784-9m7f-c6p6 for the upstream advisory. Where immediate upgrade is not possible, block external access to the /profile/cpu and /profile/memory paths at a reverse proxy or WAF (trade-off: legitimate operator profiling must then be performed from inside the trusted network), or restrict the entire admin listener to a management VLAN or loopback bound to an SSH bastion (trade-off: out-of-band tooling that polls the admin port must be re-homed). Avoid simply rate-limiting the endpoints as a sole control because a single request still costs 60 seconds of CPU and continues to disclose the filesystem path.

More in Rustfs

View all
CVE-2025-68705 CRITICAL POC
9.8 Jan 07

RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o

CVE-2026-22043 CRITICAL POC
9.8 Jan 08

RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c

CVE-2026-27822 CRITICAL POC
9.0 Feb 25

Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob

CVE-2026-22042 HIGH POC
8.8 Jan 08

Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis

CVE-2026-22782 HIGH POC
7.5 Jan 16

RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali

CVE-2026-45039 CRITICAL
9.8 May 28

Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot

CVE-2026-45043 CRITICAL
9.3 May 29

Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI

CVE-2026-45041 HIGH
8.7 May 28

License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded

CVE-2026-49991 HIGH
8.6 Jun 26

Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket wri

CVE-2026-55188 HIGH
8.2 Jun 26

Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no ef

CVE-2026-27607 HIGH
8.1 Feb 25

Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to

CVE-2025-69255 MEDIUM POC
4.0 Jan 07

RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]

Share

CVE-2026-45044 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy