Skip to main content

RustFS CVE-2026-55188

| EUVDEUVD-2026-39866 HIGH
Information Exposure (CWE-200)
2026-06-26 GitHub_M
8.2
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.2 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
7.7 HIGH

Straightforward authenticated network API call (AC:L, PR:L); disclosed remote credentials affect a separate system (S:C, C:H), but this bug only reads data, so I:N/A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 20:36 vuln.today

DescriptionCVE.org

RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets only checks whether request credentials exist, but does not verify that the caller has replication or administrator permissions. As a result, an authenticated user with no effective bucket or admin permissions can list remote replication target configuration for a bucket. Because the returned BucketTarget objects include remote target credentials, this can disclose replication access keys and secret keys. This vulnerability is fixed in 1.0.0-beta.9.

AnalysisAI

Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no effective bucket or admin permissions read remote replication target configuration via the bucket replication admin API. Because the returned BucketTarget objects embed remote credentials, an attacker can harvest replication access keys and secret keys for downstream systems. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege RustFS credentials
Delivery
Call ListRemoteTargetHandler admin API for bucket
Exploit
Missing authZ check returns BucketTarget objects
Execution
Extract remote target access and secret keys
Persist
Reuse credentials against remote replication system
Impact
Read or tamper with replicated data

Vulnerability AssessmentAI

Exploitation Requires (1) valid authentication credentials to the RustFS instance - any account suffices, even one with no effective bucket or admin permissions; and (2) the target bucket must have bucket replication configured with one or more remote targets, since only then do BucketTarget objects contain remote access/secret keys to disclose. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 3.1 score of 8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N) reflects network reach, low-privilege authenticated access, a scope change, and high confidentiality/integrity impact - the integrity and scope-change weighting stems from leaked credentials enabling access to a separate remote system rather than from any in-place modification by this bug alone. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privilege tenant or service account on a shared RustFS cluster - one holding valid credentials but no replication or admin rights - calls the list-remote-targets admin endpoint for a bucket configured with replication. The response returns BucketTarget objects containing the remote target's access and secret keys, which the attacker then reuses to read or tamper with data on the remote replication system. …
Remediation Vendor-released patch: 1.0.0-beta.9 - upgrade all RustFS instances to 1.0.0-beta.9 or later, as documented in advisory GHSA-796f-j7xp-hwf4 (https://github.com/rustfs/rustfs/security/advisories/GHSA-796f-j7xp-hwf4). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all RustFS instances and their versions; temporarily disable bucket replication if non-critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Rustfs

View all
CVE-2025-68705 CRITICAL POC
9.8 Jan 07

RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o

CVE-2026-22043 CRITICAL POC
9.8 Jan 08

RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c

CVE-2026-27822 CRITICAL POC
9.0 Feb 25

Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob

CVE-2026-22042 HIGH POC
8.8 Jan 08

Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis

CVE-2026-22782 HIGH POC
7.5 Jan 16

RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali

CVE-2026-45039 CRITICAL
9.8 May 28

Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot

CVE-2026-45043 CRITICAL
9.3 May 29

Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI

CVE-2026-45044 HIGH
8.8 May 28

Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0

CVE-2026-45041 HIGH
8.7 May 28

License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded

CVE-2026-49991 HIGH
8.6 Jun 26

Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket wri

CVE-2026-27607 HIGH
8.1 Feb 25

Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to

CVE-2025-69255 MEDIUM POC
4.0 Jan 07

RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]

Share

CVE-2026-55188 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy