Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Requires an authenticated FTP login (PR:L) over the network; bypassing the IAM authorization boundary is a scope change (S:C) with read-only data exposure (C:H, I:N, A:N).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM authorization function that the FTP write/list handlers (and the entire HTTP S3 path) use. As a result, any user who can authenticate to the FTP listener - including a user whose IAM policy contains an explicit Deny on s3:GetObject - can read (RETR) and stat (SIZE/MDTM) any object in any bucket, and probe any bucket (CWD), completely regardless of their IAM policy. This vulnerability is fixed in 1.0.0-beta.9.
AnalysisAI
Authorization bypass in RustFS (1.0.0-alpha.1 through pre-beta.9 builds) lets any user able to authenticate to the optional FTP listener read and stat arbitrary objects in any bucket, even when their IAM policy explicitly Denies s3:GetObject. The FTP read/probe handlers (RETR, SIZE, MDTM, CWD) dispatch straight to the storage backend and skip the IAM authorization check enforced everywhere else, breaking tenant/object isolation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the RustFS FTP frontend be enabled (a non-default deployment choice) and that the attacker can authenticate to the FTP listener with valid credentials (PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.7 (High) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N: network-reachable, low complexity, requires only low privileges (a valid FTP credential), no user interaction, and a scope change because the bug lets an authenticated low-privilege user cross the IAM authorization boundary into data they were explicitly denied. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds (or obtains) any RustFS FTP credential-even an account whose IAM policy explicitly Denies s3:GetObject-connects to the FTP listener, uses CWD to enumerate buckets and SIZE/MDTM to locate objects, then issues RETR to download confidential objects from buckets they were never authorized to access. Given AV:N/AC:L, this requires only network reach to the FTP port and a single low-privilege login, with no special tooling; no public exploit code has been identified at time of analysis. |
| Remediation | Vendor-released patch: upgrade RustFS to 1.0.0-beta.9, which adds the missing IAM authorization call to the FTP read and probe handlers. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory RustFS deployments running versions 1.0.0-alpha.1 through pre-beta.9 with FTP listener enabled; disable FTP listener if operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o
RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c
Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob
Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis
RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali
Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot
Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI
Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0
License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded
Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket wri
Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no ef
Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39864