Skip to main content

RustFS CVE-2026-47136

| EUVDEUVD-2026-32993 MEDIUM
Information Exposure (CWE-200)
2026-05-28 GitHub_M
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 28, 2026 - 20:02 EUVD
Analysis Generated
May 28, 2026 - 19:27 vuln.today
CVSS changed
May 28, 2026 - 19:22 NVD
6.9 (MEDIUM)

DescriptionGitHub Advisory

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the RustFS console endpoint GET /rustfs/console/license returns parsed license metadata without requiring authentication. The endpoint is registered on the console listener and returns JSON containing license information such as the license subject and expiration timestamp. Any client that can reach the console listener can query this endpoint without credentials. This vulnerability is fixed in 1.0.0-beta.2.

AnalysisAI

Unauthenticated information disclosure in RustFS exposes parsed license metadata - including license subject and expiration timestamp - via the console endpoint GET /rustfs/console/license to any network client that can reach the console listener, with no credentials required. All RustFS releases prior to 1.0.0-beta.2 are affected. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, and the CVSS 4.0 confidentiality impact is rated Low given the non-sensitive nature of the disclosed data.

Technical ContextAI

RustFS is a distributed object storage system implemented in Rust, analogous in purpose to MinIO or S3-compatible backends. The vulnerability arises from a missing authentication enforcement on a REST endpoint registered to the console listener, a pattern described by CWE-200 (Exposure of Sensitive Information to Unauthorized Actor). The endpoint /rustfs/console/license performs license metadata parsing and serializes the result as JSON, but no authentication middleware gates the route. The CPE cpe:2.3:a:rustfs:rustfs:*:*:*:*:*:*:*:* covers all versions of the rustfs application up to (but not including) the fixed release 1.0.0-beta.2. The console listener is likely a distinct port or interface from the primary data plane, which is a relevant architectural boundary for network-level compensating controls.

RemediationAI

Vendor-released patch: 1.0.0-beta.2, confirmed by the GitHub Security Advisory GHSA-xp32-gxq2-3v52 (https://github.com/rustfs/rustfs/security/advisories/GHSA-xp32-gxq2-3v52). Upgrade RustFS to 1.0.0-beta.2 or later as the primary remediation. If an immediate upgrade is operationally infeasible, apply a network-level compensating control by restricting access to the RustFS console listener port using host-based firewall rules (e.g., iptables, nftables, cloud security groups) to permit only trusted administrative IP ranges; this eliminates network reachability for untrusted clients without modifying the application, but does not fix the underlying authentication gap and should be treated as temporary. Note that this compensating control does not protect against exploitation from within the permitted network segment, so insider threat exposure remains.

More in Rustfs

View all
CVE-2025-68705 CRITICAL POC
9.8 Jan 07

RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o

CVE-2026-22043 CRITICAL POC
9.8 Jan 08

RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c

CVE-2026-27822 CRITICAL POC
9.0 Feb 25

Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob

CVE-2026-22042 HIGH POC
8.8 Jan 08

Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis

CVE-2026-22782 HIGH POC
7.5 Jan 16

RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali

CVE-2026-45039 CRITICAL
9.8 May 28

Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot

CVE-2026-45043 CRITICAL
9.3 May 29

Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI

CVE-2026-45044 HIGH
8.8 May 28

Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0

CVE-2026-45041 HIGH
8.7 May 28

License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded

CVE-2026-49991 HIGH
8.6 Jun 26

Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket wri

CVE-2026-55188 HIGH
8.2 Jun 26

Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no ef

CVE-2026-27607 HIGH
8.1 Feb 25

Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to

Share

CVE-2026-47136 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy