Skip to main content

RustFS EUVDEUVD-2026-39865

| CVE-2026-49991 HIGH
Path Traversal (CWE-22)
2026-06-26 GitHub_M
8.6
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
vuln.today AI
7.7 HIGH

Description requires an authenticated tenant with PutObject, so PR:L not PR:N; write-only cross-tenant impact gives I:H with C:N/A:N and S:C for the boundary crossing.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 20:36 vuln.today

DescriptionCVE.org

RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely breaking multi-tenant isolation. The vulnerability chains three flaws: No ../ sanitization in tar entry key normalization; IAM wildcard matching uses raw (uncleaned) paths; and Filesystem path cleaning resolves ../ across bucket boundaries.

AnalysisAI

Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket write arbitrary objects into other tenants' buckets, fully breaking multi-tenant isolation. The flaw lives in the Snowball auto-extract feature and chains three weaknesses (unsanitized tar entry keys, IAM wildcard matching on raw paths, and filesystem path cleaning that resolves ../ across bucket boundaries). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege tenant
Delivery
Craft tar with ../ traversal keys
Exploit
Upload via Snowball auto-extract
Execution
IAM check passes on raw path
Persist
Filesystem resolves ../ across bucket boundary
Impact
Write objects into victim tenant bucket

Vulnerability AssessmentAI

Exploitation Requires an authenticated tenant account with at least PutObject permission on its own bucket, and the target RustFS instance must have the Snowball auto-extract (server-side tar unpacking) feature available and invokable by that tenant. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N, 8.6) and the prose description conflict on a key point: the vector encodes PR:N (unauthenticated), but the description explicitly requires an authenticated tenant holding PutObject permission - verify with the vendor, as a realistic assessment is PR:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged tenant who can only PutObject to their own bucket uploads a crafted tar archive through the Snowball auto-extract endpoint, embedding tar entry keys containing ../ sequences that point at a victim tenant's bucket path. The IAM check passes against the raw path while the filesystem resolves the traversal across the bucket boundary, planting attacker-controlled objects in the victim's bucket. …
Remediation No vendor-released patched version is identified in the available data; consult the GitHub Security Advisory GHSA-f4vq-9ffr-m8m3 (https://github.com/rustfs/rustfs/security/advisories/GHSA-f4vq-9ffr-m8m3) for the fixed release and upgrade off 1.0.0-beta.4 once it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all RustFS 1.0.0-beta.4 deployments in production and audit recent Snowball archive extraction operations for unauthorized cross-tenant object writes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Rustfs

View all
CVE-2025-68705 CRITICAL POC
9.8 Jan 07

RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o

CVE-2026-22043 CRITICAL POC
9.8 Jan 08

RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c

CVE-2026-27822 CRITICAL POC
9.0 Feb 25

Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob

CVE-2026-22042 HIGH POC
8.8 Jan 08

Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis

CVE-2026-22782 HIGH POC
7.5 Jan 16

RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali

CVE-2026-45039 CRITICAL
9.8 May 28

Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot

CVE-2026-45043 CRITICAL
9.3 May 29

Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI

CVE-2026-45044 HIGH
8.8 May 28

Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0

CVE-2026-45041 HIGH
8.7 May 28

License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded

CVE-2026-55188 HIGH
8.2 Jun 26

Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no ef

CVE-2026-27607 HIGH
8.1 Feb 25

Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to

CVE-2025-69255 MEDIUM POC
4.0 Jan 07

RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]

Share

EUVD-2026-39865 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy