Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Straightforward authenticated network API call (AC:L, PR:L); disclosed remote credentials affect a separate system (S:C, C:H), but this bug only reads data, so I:N/A:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets only checks whether request credentials exist, but does not verify that the caller has replication or administrator permissions. As a result, an authenticated user with no effective bucket or admin permissions can list remote replication target configuration for a bucket. Because the returned BucketTarget objects include remote target credentials, this can disclose replication access keys and secret keys. This vulnerability is fixed in 1.0.0-beta.9.
AnalysisAI
Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no effective bucket or admin permissions read remote replication target configuration via the bucket replication admin API. Because the returned BucketTarget objects embed remote credentials, an attacker can harvest replication access keys and secret keys for downstream systems. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) valid authentication credentials to the RustFS instance - any account suffices, even one with no effective bucket or admin permissions; and (2) the target bucket must have bucket replication configured with one or more remote targets, since only then do BucketTarget objects contain remote access/secret keys to disclose. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 3.1 score of 8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N) reflects network reach, low-privilege authenticated access, a scope change, and high confidentiality/integrity impact - the integrity and scope-change weighting stems from leaked credentials enabling access to a separate remote system rather than from any in-place modification by this bug alone. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privilege tenant or service account on a shared RustFS cluster - one holding valid credentials but no replication or admin rights - calls the list-remote-targets admin endpoint for a bucket configured with replication. The response returns BucketTarget objects containing the remote target's access and secret keys, which the attacker then reuses to read or tamper with data on the remote replication system. … |
| Remediation | Vendor-released patch: 1.0.0-beta.9 - upgrade all RustFS instances to 1.0.0-beta.9 or later, as documented in advisory GHSA-796f-j7xp-hwf4 (https://github.com/rustfs/rustfs/security/advisories/GHSA-796f-j7xp-hwf4). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all RustFS instances and their versions; temporarily disable bucket replication if non-critical. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o
RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c
Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob
Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis
RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali
Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot
Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI
Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0
License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded
Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket wri
Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to
RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39866