Skip to main content

RustFS EUVDEUVD-2026-39864

| CVE-2026-55189 HIGH
Missing Authorization (CWE-862)
2026-06-26 GitHub_M
7.7
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.7 HIGH

Requires an authenticated FTP login (PR:L) over the network; bypassing the IAM authorization boundary is a scope change (S:C) with read-only data exposure (C:H, I:N, A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 20:35 vuln.today

DescriptionCVE.org

RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM authorization function that the FTP write/list handlers (and the entire HTTP S3 path) use. As a result, any user who can authenticate to the FTP listener - including a user whose IAM policy contains an explicit Deny on s3:GetObject - can read (RETR) and stat (SIZE/MDTM) any object in any bucket, and probe any bucket (CWD), completely regardless of their IAM policy. This vulnerability is fixed in 1.0.0-beta.9.

AnalysisAI

Authorization bypass in RustFS (1.0.0-alpha.1 through pre-beta.9 builds) lets any user able to authenticate to the optional FTP listener read and stat arbitrary objects in any bucket, even when their IAM policy explicitly Denies s3:GetObject. The FTP read/probe handlers (RETR, SIZE, MDTM, CWD) dispatch straight to the storage backend and skip the IAM authorization check enforced everywhere else, breaking tenant/object isolation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to enabled FTP listener
Delivery
CWD to probe target buckets
Exploit
SIZE/MDTM to locate objects
Execution
RETR object bypassing IAM Deny
Impact
Exfiltrate confidential data

Vulnerability AssessmentAI

Exploitation Exploitation requires that the RustFS FTP frontend be enabled (a non-default deployment choice) and that the attacker can authenticate to the FTP listener with valid credentials (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.7 (High) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N: network-reachable, low complexity, requires only low privileges (a valid FTP credential), no user interaction, and a scope change because the bug lets an authenticated low-privilege user cross the IAM authorization boundary into data they were explicitly denied. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds (or obtains) any RustFS FTP credential-even an account whose IAM policy explicitly Denies s3:GetObject-connects to the FTP listener, uses CWD to enumerate buckets and SIZE/MDTM to locate objects, then issues RETR to download confidential objects from buckets they were never authorized to access. Given AV:N/AC:L, this requires only network reach to the FTP port and a single low-privilege login, with no special tooling; no public exploit code has been identified at time of analysis.
Remediation Vendor-released patch: upgrade RustFS to 1.0.0-beta.9, which adds the missing IAM authorization call to the FTP read and probe handlers. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory RustFS deployments running versions 1.0.0-alpha.1 through pre-beta.9 with FTP listener enabled; disable FTP listener if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Rustfs

View all
CVE-2025-68705 CRITICAL POC
9.8 Jan 07

RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o

CVE-2026-22043 CRITICAL POC
9.8 Jan 08

RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c

CVE-2026-27822 CRITICAL POC
9.0 Feb 25

Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob

CVE-2026-22042 HIGH POC
8.8 Jan 08

Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis

CVE-2026-22782 HIGH POC
7.5 Jan 16

RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali

CVE-2026-45039 CRITICAL
9.8 May 28

Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot

CVE-2026-45043 CRITICAL
9.3 May 29

Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI

CVE-2026-45044 HIGH
8.8 May 28

Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0

CVE-2026-45041 HIGH
8.7 May 28

License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded

CVE-2026-49991 HIGH
8.6 Jun 26

Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket wri

CVE-2026-55188 HIGH
8.2 Jun 26

Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no ef

CVE-2026-27607 HIGH
8.1 Feb 25

Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to

Share

EUVD-2026-39864 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy