Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Valid IAM credential required (PR:L, AV:N); only operational telemetry disclosed (C:L); no write or availability impact applies.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.7 and earlier, the real-time metrics endpoint at /rustfs/admin/v3/metrics is accessible to any valid IAM user regardless of their assigned policy. Every other admin handler in the codebase calls validate_admin_request to enforce admin-action IAM checks; the MetricsHandler skips this call entirely. A restricted IAM user whose policy grants only access to their own bucket can read server-wide operational metrics including disk I/O statistics, network throughput, scanner cycle timing, and cluster RPC state.
AnalysisAI
Unauthorized access to the admin metrics endpoint in RustFS 1.0.0-beta.7 and earlier allows any authenticated IAM user to read server-wide operational telemetry regardless of their assigned policy. The MetricsHandler for /rustfs/admin/v3/metrics omits the validate_admin_request call that every other admin handler enforces, exposing disk I/O statistics, network throughput, scanner cycle timing, and cluster RPC state to restricted users whose policies should grant no such visibility. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold at least one valid IAM credential for the target RustFS cluster - unauthenticated exploitation is not possible, as confirmed by PR:L in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 4.3 (Medium) accurately captures the constrained impact: network-reachable (AV:N), low complexity (AC:L), but gated behind valid IAM credentials (PR:L), with only limited confidentiality disclosure (C:L) and no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with any valid RustFS IAM credential - such as a developer account scoped to a single bucket - sends an authenticated HTTP GET request to /rustfs/admin/v3/metrics. Because MetricsHandler skips validate_admin_request, the server returns full cluster telemetry including disk I/O rates, network throughput figures, scanner cycle timing, and RPC state without raising an authorization error. … |
| Remediation | Consult the vendor advisory at https://github.com/rustfs/rustfs/security/advisories/GHSA-f5cv-v44x-2xgf to identify the patched release and upgrade as soon as one is confirmed; no specific fixed version number is available from the current intelligence data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o
RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c
Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob
Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis
RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali
Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot
Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI
Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0
License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded
Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket wri
Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no ef
Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39863